1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
BASH PATCH REPORT
=================
Bash-Release: 4.2
Patch-ID: bash42-033
Bug-Reported-by: David Leverton <levertond@googlemail.com>
Bug-Reference-ID: <4FCCE737.1060603@googlemail.com>
Bug-Reference-URL:
Bug-Description:
Bash uses a static buffer when expanding the /dev/fd prefix for the test
and conditional commands, among other uses, when it should use a dynamic
buffer to avoid buffer overflow.
Patch (apply with `patch -p0'):
Index: b/bash/lib/sh/eaccess.c
===================================================================
--- a/bash/lib/sh/eaccess.c
+++ b/bash/lib/sh/eaccess.c
@@ -82,6 +82,8 @@
const char *path;
struct stat *finfo;
{
+ static char *pbuf = 0;
+
if (*path == '\0')
{
errno = ENOENT;
@@ -106,7 +108,7 @@
trailing slash. Make sure /dev/fd/xx really uses DEV_FD_PREFIX/xx.
On most systems, with the notable exception of linux, this is
effectively a no-op. */
- char pbuf[32];
+ pbuf = xrealloc (pbuf, sizeof (DEV_FD_PREFIX) + strlen (path + 8));
strcpy (pbuf, DEV_FD_PREFIX);
strcat (pbuf, path + 8);
return (stat (pbuf, finfo));
Index: b/bash/patchlevel.h
===================================================================
--- a/bash/patchlevel.h
+++ b/bash/patchlevel.h
@@ -25,6 +25,6 @@
regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh
looks for to find the patch level (for the sccs version string). */
-#define PATCHLEVEL 32
+#define PATCHLEVEL 33
#endif /* _PATCHLEVEL_H_ */
|
