On 30/04/15 23:08, Trammell Hudson wrote: > Configuration Information [Automatically generated, do not change]: > Machine: x86_64 > OS: linux-gnu > Compiler: gcc > Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' > -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu' > -DCONF_VENDOR='unknown' -DLOCALEDIR='/tmp/local/share/locale' > -DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H -I. -I.. -I../include -I../lib > -g -O2 > uname output: Linux hsthudson.aoa.twosigma.com 3.4.86-ts2 #3 SMP Wed Apr 9 > 03:28:16 GMT 2014 x86_64 GNU/Linux > Machine Type: x86_64-unknown-linux-gnu > > Bash Version: 4.3 > Patch Level: 30 > Release Status: release > > > Description: > The gettext translated messages for "Done", "Done(%d)" and "Exit %d" > in jobs.c are copied to a static allocated buffer. A user could set the > LANGUAGE variable to point to a malicious translation file that has > translations that are longer than 64-bytes for these strings to create > a buffer overflow. > > Since LANGUAGE is passed unchanged by sudo this might be usable for > privilege escalation. > > > Repeat-By: > Create a .po file with a bogus translation: > > #: jobs.c:1464 jobs.c:1489 > msgid "Done" > msgstr "Klaar > 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890" > > And start an interactive shell that puts a command into the background: > > LANGUAGE="nl.utf8" PS1='$ ' ./bash --noprofile -norc > $ sleep 1 & > [1] 14464 > $ sleep 2 > [1]+ Klaar > 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 > sleep > 1
How does one override the system translation? I thought gettext only looks in the dir passed to bindtextdomain() ?
