Path: csiph.com!goblin1!goblin.stu.neva.ru!usenet.stanford.edu!not-for-mail
From: Eduardo Bustamante <dualbus@gmail.com>
Newsgroups: gnu.bash.bug
Subject: Re: Use-After-Free in Bash
Date: Tue, 30 Oct 2018 18:19:34 -0700
Lines: 17
Approved: bug-bash@gnu.org
Message-ID: <mailman.3143.1540948790.1284.bug-bash@gnu.org>
References: <CALQDDJ90PG3c957jWTp_XE6-h_-1OdjTpeGhFso=iYtTBfyoNg@mail.gmail.com>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Trace: usenet.stanford.edu 1540948790 27679 208.118.235.17 (31 Oct 2018 01:19:50 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: bug-bash <bug-bash@gnu.org>
To: corbin.souffrant@gmail.com
Envelope-to: bug-bash@gnu.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lCzyF+ttXp7dxhvB2Qff32tcjczlErLuICVb30YWP3g=; b=BF1UEnIWQX2FGCjQEQ9aH0dsjhZqcnYCQg0QbXkqnEA70mKdW3/UkVCQ0qhV8RBZjk 0toAzrh1G6DAZ45xNcw9+wWVx6wl71U9dRiM9bXTXY3r5zUtoagcTRq5QTSCcrdOy7An DOLApfDoBoy4dEqvkwclppwAnvRk1KAMRJqB2AHRjvfKI7fh52ZgGu3VDQGmuTdQb//b guMTlwi1wUmNHM8J+Y5NLiYk8YsS3gAzhBxTb2Uxeo35cn3KsBWiKSLZLiar1kVNRknj iHybF+JnXHhyStOYAN275f5iFcduIuLCFQYTtdR4U0anCcxP8dgHXOS4uu70n/GqWQFd r0JA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lCzyF+ttXp7dxhvB2Qff32tcjczlErLuICVb30YWP3g=; b=L+oeYiwBjTPLsa+m7Qsk7vOMz0GunGh7L5kCm1f8c6trP3YAU88piNO0DMFXDA6c28 2/k1PBRiDa+avUX/ByoYKvQnIMO7V8YG+KSNxxUsVvph3mgarn1HFMxRuuwm7bFFypB0 O6So3lFBCMBfkXCXy3O4QjTUipSbLmgC51pSm/kvyoaqvYxgWzhcHTUCOCdUgO7Tygkx VhLB/5vYZlcIgNHxsRBegCRAeKdeEdIo1pEgpovQNNJ1ofYZrkFoAGZwNc0k3XDEbpNW bN0GY0Lmt1En3cdERBx06pZlRPALkvnovE2OJuCHoe388vn19ZgzSVFOYZHt4cO4d47w 9Iwg==
X-Gm-Message-State: AGRZ1gItG7bqQaYPFSaOFPLFXR7GKx/JxB3BQ6YQ2BbnZMarZhYo4eXf 5HYYAC/fCAJtTNtlXi0O1rb9U413iuRFezmJiEb4yw==
X-Google-Smtp-Source: AJdET5eYAUQ1Om6VUtBln43h9EthPa71xtLOZc/QRcrZY/pgE7TZKm5vnAOMmKI02joPZOhhMSfPBK9BKqjqvrkSsvk=
X-Received: by 2002:a2e:990e:: with SMTP id v14-v6mr668879lji.60.1540948786619; Tue, 30 Oct 2018 18:19:46 -0700 (PDT)
In-Reply-To: <CALQDDJ90PG3c957jWTp_XE6-h_-1OdjTpeGhFso=iYtTBfyoNg@mail.gmail.com>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized.
X-Received-From: 2a00:1450:4864:20::22f
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-bash/>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref: csiph.com gnu.bash.bug:14748

On Tue, Oct 30, 2018 at 1:03 PM Corbin Souffrant
<corbin.souffrant@gmail.com> wrote:
(...)
> I found a reproducible use-after-free in every version of Bash from
> 4.4-5.0beta, that could potentially be used to escape restricted mode. I
> say potentially, because I can get it to crash in restricted mode, but I
> haven't gone through the effort of attempting to heap spray to overwrite
> function pointers.

Disclaimer: I'm not a maintainer.

Did you check the `devel' branch in the git repository?

I don't think the restricted mode is really advertised as a powerful
security feature, so IMO you should be able to report it here. If
you're worried though, you can always email Chet Ramey directly.