Dear Bash maintainers,
I recently reported a NULL-pointer dereference issues (leading to a
segmentation fault) in Bash 5.2. Thank you for confirming the bug and worked on
a fix.
Could you clarify whether a CVE will be assigned for this vulnerability? If so,
would you like me to request one through MITRE or another CNA, or will the Bash
team handle the CVE assignment?
For reference, I believe this qualifies for a CVE because:
*
It is a reproducible crash (DoS) in a security-sensitive component (command
interpreter).
Let me know if you need additional details. I’m happy to assist with the
process or adjust disclosure timelines as needed.
Best regards,
Aleksander Ushakov
Четверг, Май 01, 2025 18:54 MSK, Chet Ramey <chet.ra...@case.edu> писал(а):
On 5/1/25 11:30 AM, Grisha Levit wrote:
> After fix pushed today, can be simplified to:
>
> ./bash -n <<< 'f["$$(] f["$$(y=("("]'
>
> ERROR: AddressSanitizer: SEGV on unknown address 0x0000ffffffff
I'll push a fix before I leave for vacation Sunday.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU c...@case.edu http://tiswww.cwru.edu/~chet/
