popd controlled free (Segmentation fault) with bash 4.2.47, 4.3.48, and

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

popd controlled free (Segmentation fault) with bash 4.2.47, 4.3.48, and

From:	werner
Subject:	popd controlled free (Segmentation fault) with bash 4.2.47, 4.3.48, and 4.4.5
Date:	Mon, 21 Nov 2016 12:47:44 +0100

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc -I/home/abuild/rpmbuild/BUILD/bash-4.2 
-L/home/abuild/rpmbuild/BUILD/bash-4.2/../readline-6.2
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-suse-linux-gnu' 
-DCONF_VENDOR='suse' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL 
-DHAVE_CONFIG_H   -I.  -I. -I./include -I./lib   -fmessage-length=0 
-grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector 
-funwind-tables -fasynchronous-unwind-tables -g  -D_GNU_SOURCE -DRECYCLES_PIDS 
-Wall -g -Wuninitialized -Wextra -Wno-unprototyped-calls -Wno-switch-enum 
-Wno-unused-variable -Wno-unused-parameter -ftree-loop-linear -pipe 
-DBNC382214=0 -fprofile-use
uname output: Linux noether 4.1.34-33-default #1 SMP PREEMPT Thu Oct 20 
08:03:29 UTC 2016 (fe18aba) x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-suse-linux-gnu

Bash Version: 4.2.47, 4.3.48, 4.4.5
Release Status: release
OpenSUSE bug: 1010845
CVE: 2016-9401

Description:
        popd controlled free (Segmentation fault) in all bash versions here 
around

Repeat-By:

        bash -c 'popd --1'
        bash -c 'popd +-1'

        or any other negativ signed number after the first sign

Fix:

*** builtins/pushd.def
--- builtins/pushd.def  Mon Nov 21 11:27:52 2016
*************** popd_builtin (list)
*** 341,347 ****
        }
        else if (((direction = list->word->word[0]) == '+') || direction == '-')
        {
!         if (legal_number (list->word->word + 1, &which) == 0)
            {
              sh_invalidnum (list->word->word);
              builtin_usage ();
--- 341,347 ----
        }
        else if (((direction = list->word->word[0]) == '+') || direction == '-')
        {
!         if (legal_number (list->word->word + 1, &which) == 0 || 
all_digits(list->word->word + 1) == 0)
            {
              sh_invalidnum (list->word->word);
              builtin_usage ();

[Prev in Thread]

Current Thread

[Next in Thread]

popd controlled free (Segmentation fault) with bash 4.2.47, 4.3.48, and 4.4.5, werner <=
- Re: popd controlled free (Segmentation fault) with bash 4.2.47, 4.3.48, and 4.4.5, Chet Ramey, 2016/11/21
  - Re: popd controlled free (Segmentation fault) with bash 4.2.47, 4.3.48, and 4.4.5, Mike Frysinger, 2016/11/26
    - Re: popd controlled free (Segmentation fault) with bash 4.2.47, 4.3.48, and 4.4.5, Chet Ramey, 2016/11/26

Prev by Date: Re: built in bash commands that change directory circumvent user defined cd
Next by Date: Re: popd controlled free (Segmentation fault) with bash 4.2.47, 4.3.48, and 4.4.5
Previous by thread: built in bash commands that change directory circumvent user defined cd
Next by thread: Re: popd controlled free (Segmentation fault) with bash 4.2.47, 4.3.48, and 4.4.5
Index(es):
- Date
- Thread