431850 – (CVE-2012-3410) <app-shells/bash-4.2_p33: Buffer overflow vulnerability

Bug 431850 (CVE-2012-3410) - <app-shells/bash-4.2_p33: Buffer overflow vulnerability

Summary: <app-shells/bash-4.2_p33: Buffer overflow vulnerability

Status:	RESOLVED FIXED

Alias:	CVE-2012-3410

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	Gentoo Security

URL:
Whiteboard:	A2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2012-08-18 12:28 UTC by Agostino Sarubbo
Modified:	2015-10-20 20:35 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2012-08-18 12:28:51 UTC

Arches, please test and mark stable:                                                                                                                                                
=app-shells/bash-4.2_p29                                                                                                                                                           
Target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 1 Agostino Sarubbo gentoo-dev

2012-08-18 15:40:14 UTC

(In reply to comment #0)
> Arches, please test and mark stable:                                        
> 
> =app-shells/bash-4.2_p29                                                    
> 
> Target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc
> x86"

Arches, please test and mark stable:                                                                                                                                                
=app-shells/bash-4.2_p37                                                                                                                                                        
Target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 2 Agostino Sarubbo gentoo-dev

2012-08-18 17:15:31 UTC

As per http://www.openwall.com/lists/oss-security/2012/07/12/3 this is now a security bug.

Comment 3 Agostino Sarubbo gentoo-dev

2012-08-18 17:18:58 UTC

amd64 stable

Comment 4 Johannes Huber (RETIRED) gentoo-dev

2012-08-18 21:56:32 UTC

x86 stable

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2012-08-20 02:47:35 UTC

Stable for HPPA.

Comment 6 Markus Meier gentoo-dev

2012-08-23 21:10:40 UTC

arm stable

Comment 7 Anthony Basile gentoo-dev

2012-08-28 02:42:30 UTC

Stable ppc

Comment 8 Brent Baude (RETIRED) gentoo-dev

2012-08-28 17:45:52 UTC

ppc64 done

Comment 9 Raúl Porcel (RETIRED) gentoo-dev

2012-09-02 17:51:37 UTC

alpha/ia64/m68k/s390/sh/sparc stable

Comment 10 Tim Sammut (RETIRED) gentoo-dev

2012-09-04 16:02:15 UTC

Thanks, folks. GLSA request filed.

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2012-09-04 23:04:05 UTC

CVE-2012-3410 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3410):
  Stack-based buffer overflow in lib/sh/eaccess.c in GNU Bash before 4.2 patch
  33 might allow local users to bypass intended restricted shell access via a
  long filename in /dev/fd, which is not properly handled when expanding the
  /dev/fd prefix.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2012-10-20 01:02:41 UTC

This issue was resolved and addressed in
 GLSA 201210-05 at http://security.gentoo.org/glsa/glsa-201210-05.xml
by GLSA coordinator Sean Amoss (ackle).

Comment 13 SpanKY gentoo-dev

2015-10-20 20:35:25 UTC

backported to older SLOTs here:
http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3b9fc42cadf308da7fab21c338cca55aa778ae7