Re: TR : CVE request for dash 0.5.7-3 x86-64 local buffer overflow

[Simon McVittie <smcv () debian org>]

On 06/07/15 13:58, jean-marie.bourbon () armaturetech com wrote:
> I discover it using bash who sent me a SIGKILL (no real crash) and
> closed my shell in certain circumstances:
>
> kmkz@kmkz:/tmp$  `perl -e '$i=0;while($i<= 500){print"DEAD"x10;}'`
> bash: xrealloc : ../bash/subst.c:5184 : impossible d'allouer 2097152
> octets (4460544 octets alloués)
>
> So I wanted to try using my /bin/dash and... I had a local crash !

You told dash to interpret a command 2 gigabytes long, and it failed to
do so; additionally, the failure was a crash, not a deterministic
semi-graceful exit. That sounds like a bug.

However, to be a security vulnerability rather than "just a bug", a
buffer overflow is not enough; to be a security vulnerability, it would
have to be an *attacker-triggerable* buffer overflow.

Is there any circumstance under which an attacker - not you - can cause
this to happen, other than via an arbitrary-code-execution vulnerability
in some other component?

(If you are already vulnerable to attacker-controlled arbitrary code
execution, then dash crashing is the least of your worries.)

    S