Project

General

Profile

Bug #6653

bash: popd controlled free (CVE-2016-9401)

Added by Alicha CH over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
-
Start date:
01/10/2017
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Affected versions:
Security IDs:

Description

A vulnerability was found in popd. It can be tricked to free a user supplied address in the following way:

$ popd +-111111

This could be used to bypass restricted shells (rsh) on some environments to cause use-after-free.

Reference:

https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00099.html
http://seclists.org/oss-sec/2016/q4/445

Patch:

https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00116.html


Subtasks

Bug #6654: [3.6] bash: popd controlled free (CVE-2016-9401)ClosedNatanael Copa

Bug #6655: [3.5] bash:popd controlled free (CVE-2016-9401)ClosedNatanael Copa

Bug #6656: [3.4] bash: popd controlled free (CVE-2016-9401)ClosedNatanael Copa

Bug #6657: [3.3] bash: popd controlled free (CVE-2016-9401)ClosedNatanael Copa

Bug #6658: [3.2] bash:popd controlled free (CVE-2016-9401)ClosedNatanael Copa

History

#1 Updated by Alicha CH over 2 years ago

  • Project changed from Alpine Security to Alpine Linux
  • Category set to Security
  • Status changed from New to Closed

Also available in: Atom PDF