7 Bug-Reported-by: David Leverton <levertond@googlemail.com>
8 Bug-Reference-ID: <4FCCE737.1060603@googlemail.com>
13 Bash uses a static buffer when expanding the /dev/fd prefix for the test
14 and conditional commands, among other uses, when it should use a dynamic
15 buffer to avoid buffer overflow.
17 Patch (apply with `patch -p0'):
19 *** ../bash-4.2-patched/lib/sh/eaccess.c 2011-01-08 20:50:10.000000000 -0500
20 --- lib/sh/eaccess.c 2012-06-04 21:06:43.000000000 -0400
26 + static char *pbuf = 0;
32 On most systems, with the notable exception of linux, this is
33 effectively a no-op. */
35 strcpy (pbuf, DEV_FD_PREFIX);
36 strcat (pbuf, path + 8);
38 On most systems, with the notable exception of linux, this is
39 effectively a no-op. */
40 ! pbuf = xrealloc (pbuf, sizeof (DEV_FD_PREFIX) + strlen (path + 8));
41 strcpy (pbuf, DEV_FD_PREFIX);
42 strcat (pbuf, path + 8);
43 *** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010
44 --- patchlevel.h Thu Feb 24 21:41:34 2011
47 looks for to find the patch level (for the sccs version string). */
49 ! #define PATCHLEVEL 32
51 #endif /* _PATCHLEVEL_H_ */
53 looks for to find the patch level (for the sccs version string). */
55 ! #define PATCHLEVEL 33
57 #endif /* _PATCHLEVEL_H_ */