glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues)

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Roland Postle,

It  looks  to  be  the  only  correct  post  in this thread :) Yes, it's
definitely  bug  in  glibc, not in bash itself (same versions of bash on
libc systems like FreeBSD are not affected). Recurse call stack overflow
is  believed not to be exploitable to code execution, but since this bug
is  in  library it may be treated as security one as it may be exploited
remotely  (at  least  as  a DoS) in a case glob_filename is used in some
network service.

--Thursday, February 13, 2003, 8:34:36 PM, you wrote to vuln-dev () securityfocus com:

> > During some work, I noticed GNU bash could be crashed by sending a 
> > malformed perl request to the terminal.
> >
> >       example:        `perl -e 'print "*/*" x 3500'`
> >                       <bash crashes>

RP> It's a stack overflow, due to glob_filename (in glob.c) recursively
RP> calling itself while parsing the filename. So probably not exploitable.

RP> - Blazde



-- 
~/ZARAZA
Áðîñüòå ñòàðàòüñÿ - íè÷åãî èç ýòîãî íå âûéäåò. (Òâåí)