BASH PATCH REPORT

			     =================

Bash-Release:	4.2

Patch-ID:	bash42-033

Bug-Reported-by:	David Leverton <levertond@googlemail.com>

Bug-Reference-ID:	<4FCCE737.1060603@googlemail.com>

Bug-Reference-URL:

Bug-Description:

Bash uses a static buffer when expanding the /dev/fd prefix for the test

and conditional commands, among other uses, when it should use a dynamic

buffer to avoid buffer overflow.

Patch (apply with `patch -p0'):

*** ../bash-4.2-patched/lib/sh/eaccess.c	2011-01-08 20:50:10.000000000 -0500

--- lib/sh/eaccess.c	2012-06-04 21:06:43.000000000 -0400

***************

*** 83,86 ****

--- 83,88 ----

       struct stat *finfo;

  {

+   static char *pbuf = 0;

+ 

    if (*path == '\0')

      {

***************

*** 107,111 ****

       On most systems, with the notable exception of linux, this is

       effectively a no-op. */

!       char pbuf[32];

        strcpy (pbuf, DEV_FD_PREFIX);

        strcat (pbuf, path + 8);

--- 109,113 ----

       On most systems, with the notable exception of linux, this is

       effectively a no-op. */

!       pbuf = xrealloc (pbuf, sizeof (DEV_FD_PREFIX) + strlen (path + 8));

        strcpy (pbuf, DEV_FD_PREFIX);

        strcat (pbuf, path + 8);

*** ../bash-4.2-patched/patchlevel.h	Sat Jun 12 20:14:48 2010

--- patchlevel.h	Thu Feb 24 21:41:34 2011

***************

*** 26,30 ****

     looks for to find the patch level (for the sccs version string). */

! #define PATCHLEVEL 32

  #endif /* _PATCHLEVEL_H_ */

--- 26,30 ----

     looks for to find the patch level (for the sccs version string). */

! #define PATCHLEVEL 33

  #endif /* _PATCHLEVEL_H_ */