oss-sec mailing list archives
Re: TR : CVE request for dash 0.5.7-3 x86-64 local buffer overflow
From: Simon McVittie <smcv () debian org>
Date: Mon, 06 Jul 2015 22:04:04 +0100
On 06/07/15 13:58, jean-marie.bourbon () armaturetech com wrote:
I discover it using bash who sent me a SIGKILL (no real crash) and closed my shell in certain circumstances: kmkz@kmkz:/tmp$ `perl -e '$i=0;while($i<= 500){print"DEAD"x10;}'` bash: xrealloc : ../bash/subst.c:5184 : impossible d'allouer 2097152 octets (4460544 octets alloués) So I wanted to try using my /bin/dash and... I had a local crash !
You told dash to interpret a command 2 gigabytes long, and it failed to do so; additionally, the failure was a crash, not a deterministic semi-graceful exit. That sounds like a bug. However, to be a security vulnerability rather than "just a bug", a buffer overflow is not enough; to be a security vulnerability, it would have to be an *attacker-triggerable* buffer overflow. Is there any circumstance under which an attacker - not you - can cause this to happen, other than via an arbitrary-code-execution vulnerability in some other component? (If you are already vulnerable to attacker-controlled arbitrary code execution, then dash crashing is the least of your worries.) S
Current thread:
- TR : CVE request for dash 0.5.7-3 x86-64 local buffer overflow jean-marie.bourbon () armaturetech com (Jul 06)
- Re: TR : CVE request for dash 0.5.7-3 x86-64 local buffer overflow Adam D. Barratt (Jul 06)
- Re: TR : CVE request for dash 0.5.7-3 x86-64 local buffer overflow Simon McVittie (Jul 06)
- Re: TR : CVE request for dash 0.5.7-3 x86-64 local buffer overflow Jann Horn (Jul 09)