Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu'
-DCONF_VENDOR='unknown' -DLOCALEDIR='/tmp/local/share/locale' -DPACKAGE='bash'
-DSHELL -DHAVE_CONFIG_H -I. -I.. -I../include -I../lib -g -O2
uname output: Linux hsthudson.aoa.twosigma.com 3.4.86-ts2 #3 SMP Wed Apr 9
03:28:16 GMT 2014 x86_64 GNU/Linux
Machine Type: x86_64-unknown-linux-gnu
Bash Version: 4.3
Patch Level: 30
Release Status: release
Description:
The gettext translated messages for "Done", "Done(%d)" and "Exit %d"
in jobs.c are copied to a static allocated buffer. A user could set the
LANGUAGE variable to point to a malicious translation file that has
translations that are longer than 64-bytes for these strings to create
a buffer overflow.
Since LANGUAGE is passed unchanged by sudo this might be usable for
privilege escalation.
Repeat-By:
Create a .po file with a bogus translation:
#: jobs.c:1464 jobs.c:1489
msgid "Done"
msgstr "Klaar
123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"
And start an interactive shell that puts a command into the background:
LANGUAGE="nl.utf8" PS1='$ ' ./bash --noprofile -norc
$ sleep 1 &
[1] 14464
$ sleep 2
[1]+ Klaar
123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
sleep 1
$
In this case the fortify tool did not detect the buffer overflow,
but the variables after retcode_name_buffer were overwritten.
Fix:
Change jobs.c to use strncpy and snprintf:
else if (WIFEXITED (p->status))
{
temp = retcode_name_buffer;
es = WEXITSTATUS (p->status);
if (es == 0)
snprintf (temp, sizeof(retcode_name_buffer), _("Done"));
else if (posixly_correct)
snprintf (temp, sizeof(retcode_name_buffer), _("Done(%d)"), es);
else
snprintf (temp, sizeof(retcode_name_buffer), _("Exit %d"), es);
}
