| BASH PATCH REPORT |
| ================= |
| |
| Bash-Release: 4.2 |
| Patch-ID: bash42-033 |
| |
| Bug-Reported-by: David Leverton <levertond@googlemail.com> |
| Bug-Reference-ID: <4FCCE737.1060603@googlemail.com> |
| Bug-Reference-URL: |
| |
| Bug-Description: |
| |
| Bash uses a static buffer when expanding the /dev/fd prefix for the test |
| and conditional commands, among other uses, when it should use a dynamic |
| buffer to avoid buffer overflow. |
| |
| Patch (apply with `patch -p0'): |
| |
| *** ../bash-4.2-patched/lib/sh/eaccess.c 2011-01-08 20:50:10.000000000 -0500 |
| --- ./lib/sh/eaccess.c 2012-06-04 21:06:43.000000000 -0400 |
| *************** |
| *** 83,86 **** |
| --- 83,88 ---- |
| struct stat *finfo; |
| { |
| + static char *pbuf = 0; |
| + |
| if (*path == '\0') |
| { |
| *************** |
| *** 107,111 **** |
| On most systems, with the notable exception of linux, this is |
| effectively a no-op. */ |
| ! char pbuf[32]; |
| strcpy (pbuf, DEV_FD_PREFIX); |
| strcat (pbuf, path + 8); |
| --- 109,113 ---- |
| On most systems, with the notable exception of linux, this is |
| effectively a no-op. */ |
| ! pbuf = xrealloc (pbuf, sizeof (DEV_FD_PREFIX) + strlen (path + 8)); |
| strcpy (pbuf, DEV_FD_PREFIX); |
| strcat (pbuf, path + 8); |
| *** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010 |
| --- ./patchlevel.h Thu Feb 24 21:41:34 2011 |
| *************** |
| *** 26,30 **** |
| looks for to find the patch level (for the sccs version string). */ |
| |
| ! #define PATCHLEVEL 32 |
| |
| #endif /* _PATCHLEVEL_H_ */ |
| --- 26,30 ---- |
| looks for to find the patch level (for the sccs version string). */ |
| |
| ! #define PATCHLEVEL 33 |
| |
| #endif /* _PATCHLEVEL_H_ */ |
