Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 11 Jul 2012 18:15:07 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: CVE Request: Overflow fix in bash 4.2 patch 33 

Hi,

the bash maintainer kindly mailed us and other vendors a notification of
a overflow in the bash "test" builtin when "/dev/fd/..." filenames are used.

ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-033

Reproducer:
	test -e /dev/fd/111111111111111111111111111111111

Problem is caught by -D_FORTIFY_SOURCE=2 if enabled, and likely also
by -fstack-protector (not tested)

Goes all the way back to old bashes.

The likeliness of people able to inject those filenames into shell scripts
and not being able to execute shellcode themselves is however slim.
(setuid root shell scripts are not possible.)

Security (CVE) relevant scenario we thought of is breaking out of a
restricted shell mode.

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ