bash: popd controlled free (CVE-2016-9401)
A vulnerability was found in popd. It can be tricked to free a user supplied address in the following way:
$ popd +–111111
This could be used to bypass restricted shells (rsh) on some environments to cause use-after-free.
Reference:
https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00099.html
http://seclists.org/oss-sec/2016/q4/445
Patch:
https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00116.html
(from redmine: issue id 6653, created on 2017-01-10, closed on 2017-01-25)
- Relations:
- child #6654 (closed)
- child #6655 (closed)
- child #6656 (closed)
- child #6657 (closed)
- child #6658 (closed)