CVE-2022-3715: A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems. No idea about a patch. Reported upstream at: https://lists.gnu.org/archive/html/bug-bash/2022-08/msg00147.html
Red hat is tracking this here: https://bugzilla.redhat.com/show_bug.cgi?id=2126720 And links to the mailing list thread with the fix: https://lists.gnu.org/archive/html/bug-bash/2022-08/msg00147.html ``` Repeat-By: 1. Build bash with asan 2. Run with AFL++ crafted input (in attachment) Fix: diff -uprN bash-5.1-orig/subst.c bash-5.1/subst.c --- bash-5.1-orig/subst.c 2022-08-29 18:56:11.071802865 +0000 +++ bash-5.1/subst.c 2022-08-29 18:56:48.187435415 +0000 @@ -7916,7 +7916,7 @@ static int valid_parameter_transform (xform) char *xform; { - if (xform[1]) + if (xform[0] && xform[1]) return 0; /* check for valid values of xform[0] */ Kind regards, Ivan Kapranov. ```
Thanks! Any idea about impact?
It is hard to say without seeing what the repro case looks like. Since it is in a shell, it probably already requires significant access in order to reach the bug. In other words an attacker who can already run shell doesn't have much to gain by exploiting a memory bug in the shell interpreter. Some notable exceptions are * the potential for a noexec bypasses * the potential a privileged process already uses shell in a way that could be tricked into matching a repro case I would consider this worth fixing, but not urgent. It is surprising to me that upstream didn't take the fix (yet).
After reading the message thread, it sounds like the reporter has failed to sufficiently demonstrate that a problem even exists. I suspect they just submitted some fuzzer output without reviewing it for context.
I took a look to see if I could find a way to reach it and the only way seems to be here: https://github.com/bminor/bash/blob/ec8113b9861375e4e17b3307372569d429dec814/subst.c#L8679 ``` if (xform[0] == 0 || valid_parameter_transform (xform) == 0) ``` So the check in the patch is already performed before the only call site for valid_parameter_transform. It could easily become an issue in the future, but I think it is safe to close this.
The `xform[0] == 0 ||` check was added in bash-5.2, which was released a few weeks after the issue was reported on the bash mailing list.
In that case we should either pick that commit or upgrade past the fix.
(In reply to Mike Gilbert from comment #6) > The `xform[0] == 0 ||` check was added in bash-5.2, which was released a few > weeks after the issue was reported on the bash mailing list. So, we have fixed versions in tree? >5.2?
I checked and bash-5.2_p15-r2 has the fix (but it is still not marked stable).
(In reply to Allen Webb from comment #9) > I checked and bash-5.2_p15-r2 has the fix (but it is still not marked > stable). Thanks!
