glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues)

From: 3APA3A (3APA3A@SECURITY.NNOV.RU)
Date: 02/15/03

  • Next message: Vladamir Shmirnov: "Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues)" 
    Date: Sat, 15 Feb 2003 09:54:19 +0300
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: "Roland Postle" <mail@blazde.co.uk>

    Dear Roland Postle,

    It looks to be the only correct post in this thread :) Yes, it's
    definitely bug in glibc, not in bash itself (same versions of bash on
    libc systems like FreeBSD are not affected). Recurse call stack overflow
    is believed not to be exploitable to code execution, but since this bug
    is in library it may be treated as security one as it may be exploited
    remotely (at least as a DoS) in a case glob_filename is used in some
    network service.

    --Thursday, February 13, 2003, 8:34:36 PM, you wrote to vuln-dev@securityfocus.com:

    >>During some work, I noticed GNU bash could be crashed by sending a
    >>malformed perl request to the terminal.
    >>
    >> example: `perl -e 'print "*/*" x 3500'`
    >> <bash crashes>

    RP> It's a stack overflow, due to glob_filename (in glob.c) recursively
    RP> calling itself while parsing the filename. So probably not exploitable.

    RP> - Blazde 

    -- 
~/ZARAZA
Бросьте стараться - ничего из этого не выйдет. (Твен)