On 4/30/15 2:13 PM, Trammell Hudson wrote: > Bash Version: 4.3 > Patch Level: 30 > Release Status: release > > Description: > Overly long LC_ALL or LC_CTYPE variables can cause a buffer overflow > in converting 32-bit unicode characters. The stub_charset() function > calls strcpy() into a static 40-byte buffer for the charset, which > can be overflowed if the charset portion of LC_CTYPE contains more > than 40 characters. > > If bash is not built with -D_FORTIFY_SOURCE, it might be possible to use > this to bug to cause malicious code execution. > > > Repeat-By: > LC_ALL="foo.1234567890123456789012345678901234567890" \ > ./bash -c 'echo -e "\Udeadbeef\n"' > > ./bash: warning: setlocale: LC_ALL: cannot change locale > (foo.1234567890123456789012345678901234567890) > *** buffer overflow detected ***: ./bash terminated > ======= Backtrace: ========= > /lib/libc.so.6(__fortify_fail+0x37)[0x7f4d49ad3b87] > /lib/libc.so.6[0x7f4d49ad2b30] > ./bash(u32cconv+0x22e)[0x49b9ae] > ./bash(ansicstr+0x53b)[0x49991b] > ./bash(echo_builtin+0xc3)[0x47d1d3] > ./bash[0x436ac3] > ./bash[0x43abfc] > ./bash[0x43be5b] > ./bash(execute_command_internal+0xca0)[0x4384f0] > ./bash(parse_and_execute+0x36b)[0x47ecab] > ./bash[0x423004] > ./bash(main+0xa22)[0x424022] > /lib/libc.so.6(__libc_start_main+0xfd)[0x7f4d499faabd] > ./bash[0x4224c9] > > > Fix: > Use strncpy() in place of strcpy() in lib/sh/unicode.c: > > --- /tmp/bash-4.3.30/lib/sh/unicode.c 2014-01-30 21:47:19.000000000 +0000 > +++ ./bash-4.3.30/lib/sh/unicode.c 2015-04-30 18:03:42.300340729 +0000 > @@ -78,7 +78,8 @@ > s = strrchr (locale, '.'); > if (s) > { > - strcpy (charsetbuf, s+1); > + strncpy (charsetbuf, s+1, sizeof(charsetbuf)-1); > + charsetbuf[sizeof(charsetbuf)-1] = '\0'; > t = strchr (charsetbuf, '@'); > if (t) > *t = 0;
Thanks for the report; this is a good fix. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU c...@case.edu http://cnswww.cns.cwru.edu/~chet/