2014-11-17 08:49:59 -0500, Greg Wooledge:
[...]
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 is the
> REAL bug. This is the root cause of all the remote exploitation
> badness. The patches which fix this problem fix remote exploitation
> of ALL the dumb parser bugs by closing of
On Mon, Nov 17, 2014 at 04:22:53PM +, Stephane Chazelas wrote:
> The real bug doesn't have a CVE attached to it because it's not
> a vulnerability or bug. It was "allowing the bash parser to be
> exposed to untrusted data", more a very unsafe design that was
> allowing any minor bug to turn int
On Mon, Nov 17, 2014 at 04:30:07PM +0800, Jack wrote:
> As title, what difference between CVE-2014-7187 and CVE-2014-6278 ?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 says
"Off-by-one error in the read_token_word function in parse.y"
So it's just another dumb p
As title, what difference between CVE-2014-7187 and CVE-2014-6278 ?
In CVE-2014-7187
<http://lists.gnu.org/archive/html/bug-bash/2014-10/msg00140.html> says,
the test case is probe='() { echo vulnerable; }' bash -c probe
but in Shellshocker <https://shellshocker.net/#system
