Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #14750
| Path | csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Chet Ramey <chet.ramey@case.edu> |
| Newsgroups | gnu.bash.bug |
| Subject | Re: Use-After-Free in Bash |
| Date | Tue, 30 Oct 2018 21:47:28 -0400 |
| Organization | ITS, Case Western Reserve University |
| Lines | 30 |
| Approved | bug-bash@gnu.org |
| Message-ID | <mailman.3145.1540950475.1284.bug-bash@gnu.org> (permalink) |
| References | <CALQDDJ90PG3c957jWTp_XE6-h_-1OdjTpeGhFso=iYtTBfyoNg@mail.gmail.com> <CAOSMAuuzHK4WTNsnkiLD2Fq+yD620ce5+cXFR5Y6ux=CWSmHqA@mail.gmail.com> |
| Reply-To | chet.ramey@case.edu |
| NNTP-Posting-Host | lists.gnu.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=utf-8 |
| Content-Transfer-Encoding | 7bit |
| X-Trace | usenet.stanford.edu 1540950475 29115 208.118.235.17 (31 Oct 2018 01:47:55 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| Cc | chet.ramey@case.edu, bug-bash <bug-bash@gnu.org> |
| To | Eduardo Bustamante <dualbus@gmail.com>, corbin.souffrant@gmail.com |
| Envelope-to | bug-bash@gnu.org |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:reply-to:cc:subject:to:references:from:openpgp :autocrypt:organization:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=EArXfwfCDsZQOxFJnNoJxpJPUJ5A17KhZfAKw1jSe78=; b=MAY0OICm1EiH2/0PEv1yzXj+LkZAA9N+uFceAp2AXRYFEwZH+H0Wf9HF1VwXjkO3zH d7qVrqtaVXylP3ZaRXoQvCVyuFZZQDAVau2u6I+/sH07V/FGLszs/Nq3eSOGBVN39lg7 AbfO5Tert/BG+rKc/0Vl5XEZN9JeQC/1ICIIT1Ss/YBxVER+bsWZtK95SuYCx0+oIkn1 /8+EgNww//aR2q8SYPTSOU3nqTC8PuYIw5J85oWr7StdB1wC6tTgbym1t00JGr6kBYWj Y5WJxw9epmWi7ObU8xC2hnh3meP5Cn172ywSGFkEtE3qI4DGfDuPYX8Ca5Vhdlvms00j z1fw== |
| X-Gm-Message-State | AGRZ1gKvzv6SR+JYAWw7K8nw62LP+OdLlb31KFUCCpjYSuOwMsEVEo9y RwDxbHUUjfoofWc3eL6Aifv3BGTvNXRR5r3LVcXWvJn3wjCCgEPxzdHUPCXdPnMYnEYjEJoCx4t 8uZW09QY6vkI= |
| X-Received | by 2002:ac8:1c08:: with SMTP id a8-v6mr1060910qtk.16.1540950450416; Tue, 30 Oct 2018 18:47:30 -0700 (PDT) |
| X-Google-Smtp-Source | AJdET5dNbtjZsZHPk7xEpEOKzhdVHgfs9TbmS8sCZ9XM6Y/mijL4nP9I1xgi5Zbq6dE1u3ab7jWQmA== |
| X-Received | by 2002:ac8:1c08:: with SMTP id a8-v6mr1060901qtk.16.1540950450181; Tue, 30 Oct 2018 18:47:30 -0700 (PDT) |
| Openpgp | preference=signencrypt |
| Autocrypt | addr=chet.ramey@case.edu; prefer-encrypt=mutual; keydata= xsDiBEEOsGwRBACFa0A1oa71HSZLWxAx0svXzhOZNQZOzqHmSuGOG92jIpQpr8DpvgRh40Yp AwdcXb8QG1J5yGAKeevNE1zCFaA725vGSdHUyypHouV0xoWwukYO6qlyyX+2BZU+okBUqoWQ koWxiYaCSfzB2Ln7pmdys1fJhcgBKf3VjWCjd2XJTwCgoFJOwyBFJdugjfwjSoRSwDOIMf0D /iQKqlWhIO1LGpMrGX0il0/x4zj0NAcSwAk7LaPZbN4UPjn5pqGEHBlf1+xDDQCkAoZ/VqES GZragl4VqJfxBr29Ag0UDvNbUbXoxQsARdero1M8GiAIRc50hj7HXFoERwenbNDJL86GPLAQ OTGOCa4W2o29nFfFjQrsrrYHzVtyA/9oyKvTeEMJ7NA3VJdWcmn7gOu0FxEmSNhSoV1T4vP2 1Wf7f5niCCRKQLNyUy0wEApQi4tSysdz+AbgAc0b/bHYVzIf2uO2lIEZQNNt+3g2bmXgloWm W5fsm/di50Gm1l1Na63d3RZ00SeFQos6WEwLUHEB0yp6KXluXLLIZitEJM0aQ2hldCBSYW1l eSA8Y2hldEBjd3J1LmVkdT7CYQQTEQIAIQIbAwYLCQgHAwIDFQIDAxYCAQIeAQIXgAUCQ+La kQIZAQAKCRC7WGnwZOp0q9rGAJ4sRGLmlF8klZTH75z7jyQScpU6aACeNMahjWIhumt4u96d 9mdMJqlabVnOwE0EQQ6wbxAEAJCukwDigRDPhAuI+lf+6P64lWanIFOXIndqhvU13cDbQ/Wt 5LwPzm2QTvd7F+fcHOgZ8KOFScbDpjJaRqwIybMTcIN0B2pBLX/C10W1aY+cUrXZgXUGVISE MmpaP9v02auToo7XXVEHC+XLO9IU7/xaU98FL69l6/K4xeNSBRM/AAMHA/wNAmRBpcyK0+Vg gZ5esQaIP/LyolAm2qwcmrd3dZi+g24s7yjV0EUwvRP7xHRDQFgkAo6++QbuecU/J90lxrVn QwucZmfz9zgWDkT/MpfB/CNRSKLFjhYq2yHmHWT6vEjw9Ry/hF6Pc0oh1a62USdfaKAiim0n VxxQmPmiRvtCmcJJBBgRAgAJBQJBDrBvAhsMAAoJELtYafBk6nSr43AAn2ZZFQg8Gs/zUzvX Mt7evaFqVTzcAJ0cHtKpP1i/4H4R9+OsYeQdxxWxTQ== |
| User-Agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 |
| In-Reply-To | <CAOSMAuuzHK4WTNsnkiLD2Fq+yD620ce5+cXFR5Y6ux=CWSmHqA@mail.gmail.com> |
| Content-Language | en-US |
| X-Junkmail-Status | score=8/90, host=mpv4-2015.case.edu |
| X-Junkmail-PrAS-Raw | score=8/90, refid=2.7.2:2018.10.31.13016:17:8.317, ip=, rules=__YOUTUBE_RCVD, __X_GOOGLE_DKIM_SIGNATURE, __HAS_REPLYTO, __HAS_CC_HDR, __MULTIPLE_RCPTS_CC_X2, __CC_NAME, __CC_NAME_DIFF_FROM_ACC, __SUBJ_REPLY, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __SUBJ_ALPHA_END, __TO_MALFORMED_2, __TO_NAME, __TO_NAME_DIFF_FROM_ACC, __REFERENCES, __HAS_FROM, FROM_EDU_TLD, __HAS_MSGID, __SANE_MSGID, DATE_TZ_NA, __USER_AGENT, __MOZILLA_USER_AGENT, __MIME_VERSION, __IN_REP_TO, __CT, __CT_TEXT_PLAIN, __CTE, __REPLYTO_SAMEAS_FROM_ADDY, __REPLYTO_SAMEAS_FROM_ACC, __FROM_DOMAIN_IN_ANY_CC2, __REPLYTO_SAMEAS_FROM_DOMAIN, __ANY_URI, __URI_WITH_PATH, __FRAUD_BODY_WEBMAIL, __URI_NO_WWW, __CP_URI_IN_BODY, __INVOICE_MULTILINGUAL, __SUBJ_ALPHA_NEGATE, __URI_IN_BODY, __URI_NOT_IMG, __FORWARDED_MSG, __NO_HTML_TAG_RAW, BODY_SIZE_1100_1199, BODYTEXTP_SIZE_3000_LESS, __MIME_TEXT_P1, __MIME_TEXT_ONLY, __URI_NS, HTML_00_01, HTML_00_10, [TRUNCATED], so=2010-03-03 19:42:08, dmn=2016-08-03-0138 |
| X-Mirapoint-Virus-RAPID-Raw | score=unknown(0), refid=str=0001.0A020210.5BD909B4.0023,ss=1,re=0.000,fgs=0, ip=174.131.57.47, so=2016-11-06 16:00:04, dmn=2011-05-27 18:58:46 |
| X-Mirapoint-Loop-Id | 5dc2cfb2945cc14a0f3987ef564fc8d0 |
| X-detected-operating-system | by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic] |
| X-Received-From | 129.22.103.195 |
| X-BeenThere | bug-bash@gnu.org |
| X-Mailman-Version | 2.1.21 |
| Precedence | list |
| List-Id | Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org> |
| List-Unsubscribe | <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe> |
| List-Archive | <http://lists.gnu.org/archive/html/bug-bash/> |
| List-Post | <mailto:bug-bash@gnu.org> |
| List-Help | <mailto:bug-bash-request@gnu.org?subject=help> |
| List-Subscribe | <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe> |
| Xref | csiph.com gnu.bash.bug:14750 |
Show key headers only | View raw
On 10/30/18 9:19 PM, Eduardo Bustamante wrote: > On Tue, Oct 30, 2018 at 1:03 PM Corbin Souffrant > <corbin.souffrant@gmail.com> wrote: > (...) >> I found a reproducible use-after-free in every version of Bash from >> 4.4-5.0beta, that could potentially be used to escape restricted mode. I >> say potentially, because I can get it to crash in restricted mode, but I >> haven't gone through the effort of attempting to heap spray to overwrite >> function pointers. > > Disclaimer: I'm not a maintainer. > > Did you check the `devel' branch in the git repository? He did; I just fixed it today. > I don't think the restricted mode is really advertised as a powerful > security feature, so IMO you should be able to report it here. If > you're worried though, you can always email Chet Ramey directly. I looked at it and can't see how to exploit it to execute arbitrary code. It's also only a problem if you're not using the bash malloc. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~chet/
Back to gnu.bash.bug | Previous | Next | Find similar | Unroll thread
Re: Use-After-Free in Bash Chet Ramey <chet.ramey@case.edu> - 2018-10-30 21:47 -0400
csiph-web