oss-sec mailing list archives
CVE Request: Overflow fix in bash 4.2 patch 33
From: Marcus Meissner <meissner () suse de>
Date: Wed, 11 Jul 2012 18:15:07 +0200
Hi, the bash maintainer kindly mailed us and other vendors a notification of a overflow in the bash "test" builtin when "/dev/fd/..." filenames are used. ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-033 Reproducer: test -e /dev/fd/111111111111111111111111111111111 Problem is caught by -D_FORTIFY_SOURCE=2 if enabled, and likely also by -fstack-protector (not tested) Goes all the way back to old bashes. The likeliness of people able to inject those filenames into shell scripts and not being able to execute shellcode themselves is however slim. (setuid root shell scripts are not possible.) Security (CVE) relevant scenario we thought of is breaking out of a restricted shell mode. Ciao, Marcus
Current thread:
- CVE Request: Overflow fix in bash 4.2 patch 33 Marcus Meissner (Jul 11)
- Re: CVE Request: Overflow fix in bash 4.2 patch 33 Kurt Seifried (Jul 11)
- Re: CVE Request: Overflow fix in bash 4.2 patch 33 Marcus Meissner (Jul 12)
- Re: CVE Request: Overflow fix in bash 4.2 patch 33 Kurt Seifried (Jul 12)
- Re: CVE Request: Overflow fix in bash 4.2 patch 33 Marcus Meissner (Jul 12)
- Re: CVE Request: Overflow fix in bash 4.2 patch 33 Henri Salo (Jul 11)
- Re: CVE Request: Overflow fix in bash 4.2 patch 33 Kurt Seifried (Jul 11)