Date: Wed, 11 Jul 2012 18:15:07 +0200 From: Marcus Meissner <meissner@...e.de> To: OSS Security List <oss-security@...ts.openwall.com> Subject: CVE Request: Overflow fix in bash 4.2 patch 33 Hi, the bash maintainer kindly mailed us and other vendors a notification of a overflow in the bash "test" builtin when "/dev/fd/..." filenames are used. ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-033 Reproducer: test -e /dev/fd/111111111111111111111111111111111 Problem is caught by -D_FORTIFY_SOURCE=2 if enabled, and likely also by -fstack-protector (not tested) Goes all the way back to old bashes. The likeliness of people able to inject those filenames into shell scripts and not being able to execute shellcode themselves is however slim. (setuid root shell scripts are not possible.) Security (CVE) relevant scenario we thought of is breaking out of a restricted shell mode. Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ