|
1 BASH PATCH REPORT |
|
2 ================= |
|
3 |
|
4 Bash-Release: 4.2 |
|
5 Patch-ID: bash42-033 |
|
6 |
|
7 Bug-Reported-by: David Leverton <[email protected]> |
|
8 Bug-Reference-ID: <[email protected]> |
|
9 Bug-Reference-URL: |
|
10 |
|
11 Bug-Description: |
|
12 |
|
13 Bash uses a static buffer when expanding the /dev/fd prefix for the test |
|
14 and conditional commands, among other uses, when it should use a dynamic |
|
15 buffer to avoid buffer overflow. |
|
16 |
|
17 Patch (apply with `patch -p0'): |
|
18 |
|
19 *** ../bash-4.2-patched/lib/sh/eaccess.c 2011-01-08 20:50:10.000000000 -0500 |
|
20 --- lib/sh/eaccess.c 2012-06-04 21:06:43.000000000 -0400 |
|
21 *************** |
|
22 *** 83,86 **** |
|
23 --- 83,88 ---- |
|
24 struct stat *finfo; |
|
25 { |
|
26 + static char *pbuf = 0; |
|
27 + |
|
28 if (*path == '\0') |
|
29 { |
|
30 *************** |
|
31 *** 107,111 **** |
|
32 On most systems, with the notable exception of linux, this is |
|
33 effectively a no-op. */ |
|
34 ! char pbuf[32]; |
|
35 strcpy (pbuf, DEV_FD_PREFIX); |
|
36 strcat (pbuf, path + 8); |
|
37 --- 109,113 ---- |
|
38 On most systems, with the notable exception of linux, this is |
|
39 effectively a no-op. */ |
|
40 ! pbuf = xrealloc (pbuf, sizeof (DEV_FD_PREFIX) + strlen (path + 8)); |
|
41 strcpy (pbuf, DEV_FD_PREFIX); |
|
42 strcat (pbuf, path + 8); |
|
43 *** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010 |
|
44 --- patchlevel.h Thu Feb 24 21:41:34 2011 |
|
45 *************** |
|
46 *** 26,30 **** |
|
47 looks for to find the patch level (for the sccs version string). */ |
|
48 |
|
49 ! #define PATCHLEVEL 32 |
|
50 |
|
51 #endif /* _PATCHLEVEL_H_ */ |
|
52 --- 26,30 ---- |
|
53 looks for to find the patch level (for the sccs version string). */ |
|
54 |
|
55 ! #define PATCHLEVEL 33 |
|
56 |
|
57 #endif /* _PATCHLEVEL_H_ */ |