[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE-2014-7187 and CVE-2014-6278
From: |
Greg Wooledge |
Subject: |
Re: CVE-2014-7187 and CVE-2014-6278 |
Date: |
Mon, 17 Nov 2014 11:53:08 -0500 |
User-agent: |
Mutt/1.4.2.3i |
On Mon, Nov 17, 2014 at 04:22:53PM +0000, Stephane Chazelas wrote:
> The real bug doesn't have a CVE attached to it because it's not
> a vulnerability or bug. It was "allowing the bash parser to be
> exposed to untrusted data", more a very unsafe design that was
> allowing any minor bug to turn into serious vulnerabilities.
Apparently I'm not very good at reading the vague, cryptic wording
in these CVE reports.
What I was trying to say originally was the same thing that you said;
namely, that the real fix to all this mess is bash43-027 which changes
the implementation of exported functions from foo='...' to
BASH_FUNC_foo%%='...'.