Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #14750
| From | Chet Ramey <chet.ramey@case.edu> |
|---|---|
| Newsgroups | gnu.bash.bug |
| Subject | Re: Use-After-Free in Bash |
| Date | 2018-10-30 21:47 -0400 |
| Organization | ITS, Case Western Reserve University |
| Message-ID | <mailman.3145.1540950475.1284.bug-bash@gnu.org> (permalink) |
| References | <CALQDDJ90PG3c957jWTp_XE6-h_-1OdjTpeGhFso=iYtTBfyoNg@mail.gmail.com> <CAOSMAuuzHK4WTNsnkiLD2Fq+yD620ce5+cXFR5Y6ux=CWSmHqA@mail.gmail.com> |
On 10/30/18 9:19 PM, Eduardo Bustamante wrote: > On Tue, Oct 30, 2018 at 1:03 PM Corbin Souffrant > <corbin.souffrant@gmail.com> wrote: > (...) >> I found a reproducible use-after-free in every version of Bash from >> 4.4-5.0beta, that could potentially be used to escape restricted mode. I >> say potentially, because I can get it to crash in restricted mode, but I >> haven't gone through the effort of attempting to heap spray to overwrite >> function pointers. > > Disclaimer: I'm not a maintainer. > > Did you check the `devel' branch in the git repository? He did; I just fixed it today. > I don't think the restricted mode is really advertised as a powerful > security feature, so IMO you should be able to report it here. If > you're worried though, you can always email Chet Ramey directly. I looked at it and can't see how to exploit it to execute arbitrary code. It's also only a problem if you're not using the bash malloc. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~chet/
Back to gnu.bash.bug | Previous | Next | Find similar | Unroll thread
Re: Use-After-Free in Bash Chet Ramey <chet.ramey@case.edu> - 2018-10-30 21:47 -0400
csiph-web