Date: Tue, 10 Aug 2010 22:45:59 +0000 (UTC) From: Jilles Tjoelker <jilles@FreeBSD.org> To: cvs-src-old@freebsd.org Subject: cvs commit: src/bin/sh expand.c src/tools/regression/bin/sh/expansion pathname3.0 Message-ID: <201008102247.o7AMlLub026757@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
jilles 2010-08-10 22:45:59 UTC
FreeBSD src repository
Modified files:
bin/sh expand.c
Added files:
tools/regression/bin/sh/expansion pathname3.0
Log:
SVN rev 211155 on 2010-08-10 22:45:59Z by jilles
sh: Fix heap-based buffer overflow in pathname generation.
The buffer for generated pathnames could be too small in some cases. It
happened to be always at least PATH_MAX long, so there was never an overflow
if the resulting pathnames would be usable.
This bug may be abused if a script subjects input from an untrusted source
to pathname generation, which a bad idea anyhow. Most shell scripts do not
work on untrusted data. secteam@ says no advisory is necessary.
PR: bin/148733
Reported by: Changming Sun snnn119 at gmail com
MFC after: 10 days
Revision Changes Path
1.66 +15 -16 src/bin/sh/expand.c
1.1 +29 -0 src/tools/regression/bin/sh/expansion/pathname3.0 (new)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008102247.o7AMlLub026757>