On 4/30/15 6:08 PM, Trammell Hudson wrote:
> Bash Version: 4.3
> Patch Level: 30
> Release Status: release
>
>
> Description:
> The gettext translated messages for "Done", "Done(%d)" and "Exit %d"
> in jobs.c are copied to a static allocated buffer. A user could set the
> LANGUAGE variable to point to a malicious translation file that has
> translations that are longer than 64-bytes for these strings to create
> a buffer overflow.
>
> Since LANGUAGE is passed unchanged by sudo this might be usable for
> privilege escalation.
>
>
> Repeat-By:
> Create a .po file with a bogus translation:
>
> #: jobs.c:1464 jobs.c:1489
> msgid "Done"
> msgstr "Klaar
> 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"
>
> And start an interactive shell that puts a command into the background:
>
> LANGUAGE="nl.utf8" PS1='$ ' ./bash --noprofile -norc
> $ sleep 1 &
> [1] 14464
> $ sleep 2
> [1]+ Klaar
> 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
> sleep
> 1
> $
>
> In this case the fortify tool did not detect the buffer overflow,
> but the variables after retcode_name_buffer were overwritten.
>
>
> Fix:
> Change jobs.c to use strncpy and snprintf:
Thanks for the report.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU c...@case.edu http://cnswww.cns.cwru.edu/~chet/
