Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20120711161507.GA10208@suse.de>
Date: Wed, 11 Jul 2012 18:15:07 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: CVE Request: Overflow fix in bash 4.2 patch 33 

Hi,

the bash maintainer kindly mailed us and other vendors a notification of
a overflow in the bash "test" builtin when "/dev/fd/..." filenames are used.

ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-033

Reproducer:
	test -e /dev/fd/111111111111111111111111111111111

Problem is caught by -D_FORTIFY_SOURCE=2 if enabled, and likely also
by -fstack-protector (not tested)

Goes all the way back to old bashes.

The likeliness of people able to inject those filenames into shell scripts
and not being able to execute shellcode themselves is however slim.
(setuid root shell scripts are not possible.)

Security (CVE) relevant scenario we thought of is breaking out of a
restricted shell mode.

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.