On Tue, Oct 30, 2018 at 1:03 PM Corbin Souffrant <corbin.souffr...@gmail.com> wrote: (...) > I found a reproducible use-after-free in every version of Bash from > 4.4-5.0beta, that could potentially be used to escape restricted mode. I > say potentially, because I can get it to crash in restricted mode, but I > haven't gone through the effort of attempting to heap spray to overwrite > function pointers.
Disclaimer: I'm not a maintainer. Did you check the `devel' branch in the git repository? I don't think the restricted mode is really advertised as a powerful security feature, so IMO you should be able to report it here. If you're worried though, you can always email Chet Ramey directly.
