[gnu.org #1838744] Bash Manual, 3.6.2 Redirecting Inputs, SUGGESTION

2022-06-01 Thread Therese Godefroy via RT 
Le Mar 31 Mai 2022 10:02:56, chet.ra...@case.edu a écrit :
[...]
> You might tell him that this is standard usage, up to and including
> the
> POSIX standard:
> 
> https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_07
> 
> I may change this sometime, but it's low priority.
> 
> Chet


Done.
Thanks for your input! 

Best,
Thérèse

Re: Bash-5.2-beta available

2022-06-01 Thread Matthias Klose 

On 13.04.22 20:40, Chet Ramey wrote:

The first beta release of bash-5.2 is now available with the URLs

ftp://ftp.cwru.edu/pub/bash/bash-5.2-beta.tar.gz
https://ftp.gnu.org/pub/gnu/bash/bash-5.2-beta.tar.gz


not in the bash tarball, but in the readline 8.2 beta tarball, the generated 
configure files don't have the execute permission.

Re: Bash-5.2-beta available

2022-06-01 Thread Chet Ramey 
On 6/1/22 5:54 AM, Matthias Klose wrote:
> On 13.04.22 20:40, Chet Ramey wrote:
>> The first beta release of bash-5.2 is now available with the URLs
>>
>> ftp://ftp.cwru.edu/pub/bash/bash-5.2-beta.tar.gz
>> https://ftp.gnu.org/pub/gnu/bash/bash-5.2-beta.tar.gz
> 
> not in the bash tarball, but in the readline 8.2 beta tarball, the
> generated configure files don't have the execute permission.

Thanks for the report.


-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/

BASH recursion segfault, FUNCNEST doesn't help

2022-06-01 Thread Gergely 
Hi,


I stumbled upon a recursion overflow crash in BASH. It affects both my
Debian machine (this report), as well as the latest stable built from
source.

There's a slim chance this might be exploitable.


Best,
Gergely Kalman


Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wall
uname output: Linux test 5.17.0-2-amd64 #1 SMP PREEMPT Debian 5.17.6-1
(2022-05-14) x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu

Bash Version: 5.1
Patch Level: 16
Release Status: release

Description:
     A file repeatedly sourcing itself crashes bash with a segfault.

     I did not have time to investigate, but it is alarming to me that
bash with some depths can survive the recursion, only to crash when I
try to run programs. This suggests to me that there's a very slim chance
of exploitability, but really I saw no point in investigating as at this
point the attacker can pretty much already run code...

     As suggested in the previous report like this
(https://lists.gnu.org/archive/html/bug-bash/2022-05/msg00016.html),
FUNCNEST doesn't help, somewhat unsurprisingly.


Repeat-By:
     Basic code to reproduce:

     echo '. a' > a; bash -c '. a'


     With FUNCNEST:

     export FUNCNEST=1000; echo '. a' > a; bash -c 'echo $FUNCNEST; . a'


     Code to test with N depth:

     -
     if [ $1 -eq 0 ]
     then
     echo done
     #    id
     #    ls
     #    whoami
     else
     source a $(($1-1))
     return
     fi

     id
     ls
     whoami

     -

     bash -c '. a 4280' results in crashing after 'id' is ran, but
before 'ls'. It doesn't seem to matter where I call these programs, bash
crashes all the same, whether I am in the deepest level or the top.

     Varying the parameter I can also crash in various places, like:
bash, libtinfo, or libc:

     [438676.042819] bash[408615]: segfault at 7ffedc6aaff8 ip
55bfc89a7966 sp 7ffedc6ab000 error 6 in bash[55bfc899e000+bb000]
     [438679.191182] bash[408618]: segfault at 7ffd8510 ip
7fc71696dabf sp 7ffd851fffe0 error 6 in
libc-2.33.so[7fc71690b000+158000]
     [438681.979822] bash[408619]: segfault at 7fff8f8a7ff8 ip
7f80a488d0fb sp 7fff8f8a8000 error 6 in
libc-2.33.so[7f80a482a000+158000]
     [438684.104766] bash[408620]: segfault at 7fff416f6eb0 ip
555b17112963 sp 7fff416f6e70 error 6 in bash[555b17106000+bb000]
     [438685.969473] bash[408621]: segfault at 7fffd9e1d418 ip
7f7d49d7ba76 sp 7fffd9e1d410 error 6 in
libtinfo.so.6.3[7f7d49d6d000+11000]


Fix:
     Place a limit on the depth of source-able files, like FUNCNEST.

Re: BASH recursion segfault, FUNCNEST doesn't help

2022-06-01 Thread Martin Schulte 
Hi Gergely!

> I stumbled upon a recursion overflow crash in BASH.

There are many ways to exhaust memory (and other) recources, recursion is one 
them. In your case a variable like SRCNEST (and all the code with its 
performance impacts needed behind it) might help, but what exactly is the 
advantage of a "maximum source nesting level exceeded" error over a 
segmentation fault?

Next we will need MAXARRUSAGE, MAXBRACEEXPAN, ...

> There's a slim chance this might be exploitable.

I would really be interested in an example.

Best regards,

Martin