[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE-2014-7187 and CVE-2014-6278
From: |
Greg Wooledge |
Subject: |
Re: CVE-2014-7187 and CVE-2014-6278 |
Date: |
Mon, 17 Nov 2014 08:49:59 -0500 |
User-agent: |
Mutt/1.4.2.3i |
On Mon, Nov 17, 2014 at 04:30:07PM +0800, Jack wrote:
> As title, what difference between CVE-2014-7187 and CVE-2014-6278 ?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 says
"Off-by-one error in the read_token_word function in parse.y"
So it's just another dumb parser bug, nothing to do with remote
exploitation really.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 is the
REAL bug. This is the root cause of all the remote exploitation
badness. The patches which fix this problem fix remote exploitation
of ALL the dumb parser bugs by closing off the attack vector.