bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bash buffer overflow in handling locale environment variables


From: Stephane Chazelas
Subject: Re: bash buffer overflow in handling locale environment variables
Date: Thu, 30 Apr 2015 21:45:13 +0100
User-agent: Mutt/1.5.21 (2010-09-15)

2015-04-30 18:13:48 +0000, Trammell Hudson:
[...]
> Overly long LC_ALL or LC_CTYPE variables can cause a buffer overflow
> in converting 32-bit unicode characters.  The stub_charset() function
> calls strcpy() into a static 40-byte buffer for the charset, which
> can be overflowed if the charset portion of LC_CTYPE contains more
> than 40 characters.
> 
> If bash is not built with -D_FORTIFY_SOURCE, it might be possible to use
> this to bug to cause malicious code execution.
> 
> 
> Repeat-By:
> LC_ALL="foo.1234567890123456789012345678901234567890" \
> ./bash -c 'echo -e "\Udeadbeef\n"'
[...]

Nice catch.

Note that it's not only \Uxxxxxxxx, also \uxxxx

sudo and many ssh deployments pass those values of LC_ALL along
unmodified, so it could be a problem for sudoers scripts (or
bashrcs for ssh like in git deployments) that use those \u\U
escape sequences.

-- 
Stephane



reply via email to

[Prev in Thread] Current Thread [Next in Thread]