2015-04-30 18:13:48 +0000, Trammell Hudson: [...] > Overly long LC_ALL or LC_CTYPE variables can cause a buffer overflow > in converting 32-bit unicode characters. The stub_charset() function > calls strcpy() into a static 40-byte buffer for the charset, which > can be overflowed if the charset portion of LC_CTYPE contains more > than 40 characters. > > If bash is not built with -D_FORTIFY_SOURCE, it might be possible to use > this to bug to cause malicious code execution. > > > Repeat-By: > LC_ALL="foo.1234567890123456789012345678901234567890" \ > ./bash -c 'echo -e "\Udeadbeef\n"' [...]
Nice catch. Note that it's not only \Uxxxxxxxx, also \uxxxx sudo and many ssh deployments pass those values of LC_ALL along unmodified, so it could be a problem for sudoers scripts (or bashrcs for ssh like in git deployments) that use those \u\U escape sequences. -- Stephane
