7 Bug-Reported-by: David Leverton <levertond@googlemail.com>
8 Bug-Reference-ID: <4FCCE737.1060603@googlemail.com>
13 Bash uses a static buffer when expanding the /dev/fd prefix for the test
14 and conditional commands, among other uses, when it should use a dynamic
15 buffer to avoid buffer overflow.
17 Patch (apply with `patch -p0'):
19 Index: b/bash/lib/sh/eaccess.c
20 ===================================================================
21 --- a/bash/lib/sh/eaccess.c
22 +++ b/bash/lib/sh/eaccess.c
27 + static char *pbuf = 0;
33 trailing slash. Make sure /dev/fd/xx really uses DEV_FD_PREFIX/xx.
34 On most systems, with the notable exception of linux, this is
35 effectively a no-op. */
37 + pbuf = xrealloc (pbuf, sizeof (DEV_FD_PREFIX) + strlen (path + 8));
38 strcpy (pbuf, DEV_FD_PREFIX);
39 strcat (pbuf, path + 8);
40 return (stat (pbuf, finfo));
41 Index: b/bash/patchlevel.h
42 ===================================================================
43 --- a/bash/patchlevel.h
44 +++ b/bash/patchlevel.h
46 regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh
47 looks for to find the patch level (for the sccs version string). */
49 -#define PATCHLEVEL 32
50 +#define PATCHLEVEL 33
52 #endif /* _PATCHLEVEL_H_ */