CVE-2014-6277, CVE-2014-6278

[john <lists.john@gmail.com>]

Hi all,

I see there are two new CVE's for bash: CVE-2014-6277[1], CVE-2014-6278[2]. I note
that the security tracker shows all versions of debian as "vulnerable" however the Notes

section on 6277, 6278 shows:

"The underlying parser flaw has not yet been disclosed and might
still exist in latest released bash packages. However Florian
Weimer's variables-affix.patch patch applied in Debian prevents
exploitation of this issue by making bash only use environment
variables with specific names (BASH_FUNC_*()) to define functions
from its environment."

So I am confused. I think what I am reading here is that if you applied the latest patches to bash [3]

you are not vulnerable to CVE-2014-6277. CVE-2014-6278. Running the test outlined on Icamtuf.blogspot.co.nz [4] seemed to confirm that.

Any insights would be appreciated.

Thanks!

John

[1]https://security-tracker.debian.org/tracker/CVE-2014-6277
[2]https://security-tracker.debian.org/tracker/CVE-2014-6278
[3] e.g. for stable i386 bash ver: 4.2+dfsg-0.1+deb7u3
[4] http://lcamtuf.blogspot.co.nz/2014/09/bash-bug-apply-unofficial-patch-now.html