On Wed, 14 May 2025, 11:14 Александр Ушаков, <ausha...@astralinux.ru> wrote:
> For reference, I believe this qualifies for a CVE because:
> * It is a reproducible crash (DoS) in a security-sensitive component
> (command interpreter).
>
By this logic, there should be a CVE for gcc because when you give it « int
main (){ *(int*)0 = 42; } » and run the resulting binary, it crashes.
Both gcc and bash rightfully assume that an attacker cannot control their
inputs, the programs they are expected to compile and/or run. If an
attacker can control what bash attempts to parse, you have much worse
security problems than Bash crashing.
That's not to say this isn't a bug in Bash, but it does not degrade system
security, because the only way to exploit it is if your system is already
compromised, so that an attacker can feed input to the shell parser.
As for the specific use of « bash -n » to perform validation on untrusted
input, SIGSEGV will result in a non zero status, which will correctly be
interpreted as a validation failure.
-Martin
