Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 431850 (CVE-2012-3410) - <app-shells/bash-4.2_p33: Buffer overflow vulnerability
Summary: <app-shells/bash-4.2_p33: Buffer overflow vulnerability
Status: RESOLVED FIXED
Alias: CVE-2012-3410
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-18 12:28 UTC by Agostino Sarubbo
Modified: 2015-10-20 20:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-08-18 12:28:51 UTC 
Arches, please test and mark stable:                                                                                                                                                
=app-shells/bash-4.2_p29                                                                                                                                                           
Target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 1 Agostino Sarubbo gentoo-dev 2012-08-18 15:40:14 UTC 
(In reply to comment #0)
> Arches, please test and mark stable:                                        
> 
> =app-shells/bash-4.2_p29                                                    
> 
> Target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc
> x86"

Arches, please test and mark stable:                                                                                                                                                
=app-shells/bash-4.2_p37                                                                                                                                                        
Target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 2 Agostino Sarubbo gentoo-dev 2012-08-18 17:15:31 UTC 
As per http://www.openwall.com/lists/oss-security/2012/07/12/3 this is now a security bug.
Comment 3 Agostino Sarubbo gentoo-dev 2012-08-18 17:18:58 UTC 
amd64 stable
Comment 4 Johannes Huber (RETIRED) gentoo-dev 2012-08-18 21:56:32 UTC 
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-08-20 02:47:35 UTC 
Stable for HPPA.
Comment 6 Markus Meier gentoo-dev 2012-08-23 21:10:40 UTC 
arm stable
Comment 7 Anthony Basile gentoo-dev 2012-08-28 02:42:30 UTC 
Stable ppc
Comment 8 Brent Baude (RETIRED) gentoo-dev 2012-08-28 17:45:52 UTC 
ppc64 done
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2012-09-02 17:51:37 UTC 
alpha/ia64/m68k/s390/sh/sparc stable
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2012-09-04 16:02:15 UTC 
Thanks, folks. GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-09-04 23:04:05 UTC 
CVE-2012-3410 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3410):
  Stack-based buffer overflow in lib/sh/eaccess.c in GNU Bash before 4.2 patch
  33 might allow local users to bypass intended restricted shell access via a
  long filename in /dev/fd, which is not properly handled when expanding the
  /dev/fd prefix.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-10-20 01:02:41 UTC 
This issue was resolved and addressed in
 GLSA 201210-05 at http://security.gentoo.org/glsa/glsa-201210-05.xml
by GLSA coordinator Sean Amoss (ackle).