Parsing bug of the week
September 25, 2014  

It’s getting easier to identify these, because people are actually starting to call bugs in parsers “parsing bugs”, instead of just bugs involving “maliciously crafted inputs” and so on.

This time we have a bug involving parsing in bash (CVE-2014-6271 and CVE-2014-7169). Briefly, bash evaluates environment variables that look like (parse like) function definitions. Unfortunately, it parses more than just function definitions.

<sarcasm> Apparently this bug is “worse than Heartbleed”, which was an 11 on a scale of 1–10. So I guess it’s a 12? And we should all change all of our passwords? And we should give it a logo and a fancy name (“Shellshock”)? </sarcasm>

Bonus bug: a bug in signature-checking in Firefox “due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates.”

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.