Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Wed, 11 Jul 2012 18:15:07 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: CVE Request: Overflow fix in bash 4.2 patch 33 

Hi,

the bash maintainer kindly mailed us and other vendors a notification of
a overflow in the bash "test" builtin when "/dev/fd/..." filenames are used.

ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-033

Reproducer:
	test -e /dev/fd/111111111111111111111111111111111

Problem is caught by -D_FORTIFY_SOURCE=2 if enabled, and likely also
by -fstack-protector (not tested)

Goes all the way back to old bashes.

The likeliness of people able to inject those filenames into shell scripts
and not being able to execute shellcode themselves is however slim.
(setuid root shell scripts are not possible.)

Security (CVE) relevant scenario we thought of is breaking out of a
restricted shell mode.

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ