Hosting Provided By

glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues)

From: 3APA3A <3APA3A(at)SECURITY.NNOV.RU>
Date: Sat Feb 15 2003 - 01:54:19 EST

It looks to be the only correct post in this thread :) Yes, it's definitely bug in glibc, not in bash itself (same versions of bash on libc systems like FreeBSD are not affected). Recurse call stack overflow is believed not to be exploitable to code execution, but since this bug is in library it may be treated as security one as it may be exploited remotely (at least as a DoS) in a case glob_filename is used in some network service.

--Thursday, February 13, 2003, 8:34:36 PM, you wrote to vuln-dev@securityfocus.com:

>>During some work, I noticed GNU bash could be crashed by sending a
>>malformed perl request to the terminal.
>>
>> example: `perl -e 'print "*/*" x 3500'`
>> <bash crashes>

RP> It's a stack overflow, due to glob_filename (in glob.c) recursively RP> calling itself while parsing the filename. So probably not exploitable.

RP> - Blazde

-- 
~/ZARAZA
Áðîñüòå ñòàðàòüñÿ - íè÷åãî èç ýòîãî íå âûéäåò. (Òâåí)

Received on Sat Feb 15 11:17:10 2003

This message: [ Message body ]
Next message: Vladamir Shmirnov: "Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues)"
Previous message: Bob Fleck: "Re: Windows 2000 Static arp not static"
In reply to: Roland Postle: "Re: Bash Blues."
Next in thread: Vladamir Shmirnov: "Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues)"
Reply: Vladamir Shmirnov: "Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT

Do you need help?