2014-11-17 08:49:59 -0500, Greg Wooledge: [...] > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 is the > REAL bug. This is the root cause of all the remote exploitation > badness. The patches which fix this problem fix remote exploitation > of ALL the dumb parser bugs by closing off the attack vector. [...]
The real bug doesn't have a CVE attached to it because it's not a vulnerability or bug. It was "allowing the bash parser to be exposed to untrusted data", more a very unsafe design that was allowing any minor bug to turn into serious vulnerabilities. CVE-2014-6278 is one of those very minor bugs (probably the most minor of all, but also one of the most dangerous when the parser is exposed because it allows remote-code-execution like). Details are at http://lcamtuf.blogspot.co.uk/2014/10/bash-bug-how-we-finally-cracked.html The very minor bug has been fixed. But it has been fixed (and revealed) after the "real (non-)bug" (the exposing of the parser to untrusted input) has been fixed, so it is *only* a very minor bug now. Some more details at https://unix.stackexchange.com/questions/157381/when-was-the-shellshock-cve-2014-6271-7169-bug-introduced-and-what-is-the-pat/157495#157495 -- Stephane >
