oss-sec mailing list archives
Re: bash - popd controlled free
From: <cve-assign () mitre org>
Date: Thu, 17 Nov 2016 18:28:44 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
popd can be tricked to free a user supplied address in the following way: $ popd +-111111
Program received signal SIGSEGV, Segmentation fault. 0x0827f93a in popd_builtin (list=<optimized out>) at ./pushd.def:384 384 free (pushd_directory_list[i]);
This could be used to bypass restricted shells (rsh) on some environments to cause use-after-free.
Use CVE-2016-9401. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYLjy/AAoJEHb/MwWLVhi2P8QQAKfY3sVxQ/vVBeiKqG+c61Jb l+HoVjuWR+OOFjJ/ugbeaSE1dYFCoQzoVx+/b4nhP4sNiZExs+Odj/A2cGCr6oAj 1p9do/oEm7pE/n3VAhpqoLxnOflWvk/AOSLcR5kv2IyZWQxq/htBxdzuzdN3cdoz 4L98GPPCAnF8rhHrHiLRfkDCiC5HbzfPouL9LegUYjHAVwE6IvW+Ckoqx6fX6Diw iXahNo0Rw4TR1HgGcp46AiThY98g1K2EeaAaz+bVNmnvX3jc+VTNkd2BMDj+QKJf g39zYpP5BDsPhgvJHT65gqnbiWbHP6SnrANgxR7n8W/WKm+X7NAoPCfsYj1OQ3Wd Q7UULEYZneqBwXmVrSD4IORTdOLEW1yL7FSfa6lKYpe33R32MTgOCu4oJNLWBzGy KtpPioEahBbNX+QeyEH7wDPILWn/KitZR5WIn/wfas84Z8Tfdb1EEyIq6V6J4NA9 7IXDnwBWTG6Ipu0+VsiL2uvUUTjgiUZAo97YKblYyZmkVMKKG4Cg3CheciPbgVf8 2qpEsc4ROKjZ0Y+KWP7yI8IfUQxvtw/mAiVIJds7D092VeM/EIbXlqT2kWc1g7nA 47f94cLsskul95GeCyqZTidMMfTF+pu3RIJS8npWYXoCeh5qfFArTjsNgk2SqIHA HrJRIk35K2RgXQ3g6jFT =zUdd -----END PGP SIGNATURE-----
Current thread:
- bash - popd controlled free Fernando Muñoz (Nov 17)
- Re: bash - popd controlled free cve-assign (Nov 17)