On Mon, 29 Sep 2014, john wrote: > So I am confused. I think what I am reading here is that if you applied > the latest patches to bash [3] you are not vulnerable to CVE-2014-6277. > CVE-2014-6278. Running the test outlined on Icamtuf.blogspot.co.nz [4] > seemed to confirm that.
AFAIK, we are still vulnerable to CVE-2014-6277 and CVE-2014-6278, but not through any interesting attack vectors: Debian included the RedHat change that moves the functions to the BASH_FUNC_<name>() namespace in the DSA-3035 fix. However, should someone find a way to inject BASH_FUNC_foo()='<whatever triggers these undisclosed bugs>' into the environment, the attack is going to succeed. To twart that, we have to wait until the embargo is lifted and the real fix for CVE-2014-6277 and CVE-2014-6278 gets uploaded/published. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140929174102.ga6...@khazad-dum.debian.net
