Vulnerability Development mailing list archives
bash 2.05.0(1)-release/it.map.gz Slackware 8.0 default and Debian
From: Davide Del Vecchio <security () phx it>
Date: Tue, 23 Jul 2002 22:50:03 +0200
GNU bash 2.05.0(1)-release/it.map.gz Slackware 8.0 default and Debian Stable local dos.
Synopsis: Phoenix Sistemi Security Responsable has to notice that Bash version 2.05.0(1) (Slackware 8.0 default) and Debian Stable one, with it.map.gz loaded suffers a silly bug which compromise the use of the some characters. Affected Versions: GNU bash, version 2.05.0(1)-release (i386-slackware-linux-gnu) with it.map.gz loaded. GNU bash Debian Stable with it.map.gz loaded. Not tested on other versions. Description: Loading Unicode mapping table... Loading /usr/share/kbd/keymaps/i386/qwerty/it.map.gz Using an user local account, and typing the ASCII code "1236" from the keypad,an user could compromise the use of the keyboard through a bash/it.map bug, infact the system bash will prompt a "#" everytime the "£" button is pressed and the use some other special character "ç" "°" "§" "é" cannot more be used.
Just think about a root password with one of this character, the root willhave several problems to login. Think also about a big system with hundred of users that cannot more login.
If the system will be rebooted or the keymap reloaded the problem will persist. Solutions & Recommendations: Install different version of Bash or don't use the it keymap. Credits: Davide Del Vecchio would like to thank his company Phoenix Sistemi and the CED especially Bartolomeo Bufi, Antonio Lapadula, Pasquale Minervini, Gianluca Nanoia and Michele Tumolo. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ^^^^^^^^ Please send suggestions, updates, and comments to: Davide Del Vecchio security () phoenixsistemi com of PhoeniX Sistemi. www.phoenixsistemi.com / www.phx.it
Current thread:
- bash 2.05.0(1)-release/it.map.gz Slackware 8.0 default and Debian Davide Del Vecchio (Jul 23)