Re: bash buffer overflow in handling locale environment variables

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bash buffer overflow in handling locale environment variables

From:	Stephane Chazelas
Subject:	Re: bash buffer overflow in handling locale environment variables
Date:	Thu, 30 Apr 2015 21:45:13 +0100
User-agent:	Mutt/1.5.21 (2010-09-15)

2015-04-30 18:13:48 +0000, Trammell Hudson:
[...]
> Overly long LC_ALL or LC_CTYPE variables can cause a buffer overflow
> in converting 32-bit unicode characters.  The stub_charset() function
> calls strcpy() into a static 40-byte buffer for the charset, which
> can be overflowed if the charset portion of LC_CTYPE contains more
> than 40 characters.
> 
> If bash is not built with -D_FORTIFY_SOURCE, it might be possible to use
> this to bug to cause malicious code execution.
> 
> 
> Repeat-By:
> LC_ALL="foo.1234567890123456789012345678901234567890" \
> ./bash -c 'echo -e "\Udeadbeef\n"'
[...]

Nice catch.

Note that it's not only \Uxxxxxxxx, also \uxxxx

sudo and many ssh deployments pass those values of LC_ALL along
unmodified, so it could be a problem for sudoers scripts (or
bashrcs for ssh like in git deployments) that use those \u\U
escape sequences.

-- 
Stephane

[Prev in Thread]

Current Thread

[Next in Thread]

bash buffer overflow in handling locale environment variables, Trammell Hudson, 2015/04/30
- Re: bash buffer overflow in handling locale environment variables, Stephane Chazelas <=
- Re: bash buffer overflow in handling locale environment variables, Chet Ramey, 2015/04/30
  - Re: bash buffer overflow in handling locale environment variables, Chet Ramey, 2015/04/30

Prev by Date: bash -c reads /etc/profile despite --noprofile
Next by Date: Re: bash buffer overflow in handling locale environment variables
Previous by thread: bash buffer overflow in handling locale environment variables
Next by thread: Re: bash buffer overflow in handling locale environment variables
Index(es):
- Date
- Thread