[3.5] bash:popd controlled free (CVE-2016-9401)
A vulnerability was found in popd. It can be tricked to free a user supplied address in the following way:
$ popd +–111111
This could be used to bypass restricted shells (rsh) on some environments to cause use-after-free.
Reference:
https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00099.html
http://seclists.org/oss-sec/2016/q4/445
Patch:
https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00116.html
(from redmine: issue id 6655, created on 2017-01-10, closed on 2017-01-25)
- Relations:
- parent #6653 (closed)
- Changesets:
- Revision 88fc2ef0 by Sergei Lukin on 2017-01-24T09:22:39Z:
main/bash: security fixes #6655
CVE-2016-9401