bash \w option PS1 Environment Variable Overflow

1998-09-04T00:00:00
ID OSVDB:8345
Type osvdb
Reporter Joao Manuel Carolino(root@einstein.dhis.eu.org)
Modified 1998-09-04T00:00:00

Description

Vulnerability Description

A local overflow exists in bash. The rl_redisplay() function fails to perform proper bounds checking resulting in a buffer overflow. The issue is triggered when creating a overly long directory name containing more than 1024 bytes, which is inserted into the password prompt via the '\w' option in the PS1 environmental variable when another user changes into that directory. It is possible for a malicious user to gain elevated privileges resulting in a loss of integrity.

Solution Description

Contact your vendor for an appropriate upgrade. An upgrade is required as there are no known workarounds.

Short Description

A local overflow exists in bash. The rl_redisplay() function fails to perform proper bounds checking resulting in a buffer overflow. The issue is triggered when creating a overly long directory name containing more than 1024 bytes, which is inserted into the password prompt via the '\w' option in the PS1 environmental variable when another user changes into that directory. It is possible for a malicious user to gain elevated privileges resulting in a loss of integrity.

References:

Vendor URL: http://cnswww.cns.cwru.edu/~chet/bash/bashtop.html Vendor Specific Advisory URL Vendor Specific Advisory URL Mail List Post: http://seclists.org/lists/bugtraq/1998/Sep/0056.html Mail List Post: http://seclists.org/lists/bugtraq/1998/Sep/0050.html ISS X-Force ID: 3414 Generic Exploit URL: http://archives.neohapsis.com/archives/bugtraq/1998_3/0765.html CVE-1999-1048