Lucene search

K
ubuntucveUbuntu.comUB:CVE-2012-3410
HistoryAug 27, 2012 - 12:00 a.m.

CVE-2012-3410

2012-08-2700:00:00
ubuntu.com
ubuntu.com
9

4.6 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

5.1%

Stack-based buffer overflow in lib/sh/eaccess.c in GNU Bash before 4.2
patch 33 might allow local users to bypass intended restricted shell access
via a long filename in /dev/fd, which is not properly handled when
expanding the /dev/fd prefix.

Notes

Author Note
jdstrand reproducer in oss thread verified that compiler hardening blocks this on all releases (-D_FORTIFY_SOURCE=2 on 10.04 LTS+ and -fstack-protector on 8.04 LTS)
mdeslaur since this gets blocked, it is not a security issue. Ignoring.

4.6 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

5.1%