This isn't nearly as important as shellshock or whatever you want to call it, but I found this while glancing at the source and the latest patch. It's a funny little bug that I doubt could ever be useful for malicious reasons, unless you can determine an address to jump to that is comprised of all hex characters 30-39 (digits) due to the regex check on the version string, and also if the "attacker" could set a version string.
Still, a bad version string in a configure shouldn't allow someone to jump to an arbitrary address in memory. Might be a good idea to add a length check in configure or make. version I set in configure: BASHVERS=4.44444444444444444444444444444444444444444444444444444444444444444444444444444444444444444 (gdb) run Starting program: ~/bash/bash-4.3/bash Program received signal SIGSEGV, Segmentation fault. 0x0000000000*343434* in ?? () (gdb) bt #0 0x0000000000343434 in ?? () #1 0x73696c6172746c75 in ?? () #2 0x000000000000006b in ?? () #3 0x0000000000000007 in ?? () #4 0x00007ffff7ffa250 in ?? () #5 0x0000002000000000 in ?? () #6 0x0000000000000000 in ?? () (gdb) i r rax 0x70b508 7386376 rbx *0x3434343434343434* 3761688987579986996 rcx 0x70b627 7386663 rdx 0x0 0 rsi 0x70b608 7386632 rdi 0x70b621 7386657 rbp *0x3434343434343434* *0x3434343434343434* rsp 0x7fffffffdee0 0x7fffffffdee0 r8 0x0 0 r9 0x2 2 r10 0x705230 7361072 r11 0x7ffff7762780 140737345103744 r12 *0x3434343434343434* 3761688987579986996 r13 *0x3434343434343434* 3761688987579986996 r14 *0x3434343434343434* 3761688987579986996 r15 *0x3434343434343434* 3761688987579986996 rip *0x343434* *0x343434* eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 vulnerable code: static void make_vers_array () { SHELL_VAR *vv; ARRAY *av; char *s, d[32], b[INT_STRLEN_BOUND(int) + 1]; unbind_variable ("BASH_VERSINFO"); vv = make_new_array_variable ("BASH_VERSINFO"); av = array_cell (vv); * strcpy (d, dist_version);* There's already a regex check on the version string for [0-9] which is why you are extremely limited to what you can do, but there should probably be a length limit to 31 characters, in the configure or makefile or something. Hope all is well now. I know it's been a busy week :) Cheers, Johan Nestaas