462fb2
			     BASH PATCH REPORT
462fb2
			     =================
462fb2
462fb2
Bash-Release:	4.2
462fb2
Patch-ID:	bash42-033
462fb2
462fb2
Bug-Reported-by:	David Leverton <levertond@googlemail.com>
462fb2
Bug-Reference-ID:	<4FCCE737.1060603@googlemail.com>
462fb2
Bug-Reference-URL:
462fb2
462fb2
Bug-Description:
462fb2
462fb2
Bash uses a static buffer when expanding the /dev/fd prefix for the test
462fb2
and conditional commands, among other uses, when it should use a dynamic
462fb2
buffer to avoid buffer overflow.
462fb2
462fb2
Patch (apply with `patch -p0'):
462fb2
462fb2
*** ../bash-4.2-patched/lib/sh/eaccess.c	2011-01-08 20:50:10.000000000 -0500
462fb2
--- lib/sh/eaccess.c	2012-06-04 21:06:43.000000000 -0400
462fb2
***************
462fb2
*** 83,86 ****
462fb2
--- 83,88 ----
462fb2
       struct stat *finfo;
462fb2
  {
462fb2
+   static char *pbuf = 0;
462fb2
+ 
462fb2
    if (*path == '\0')
462fb2
      {
462fb2
***************
462fb2
*** 107,111 ****
462fb2
       On most systems, with the notable exception of linux, this is
462fb2
       effectively a no-op. */
462fb2
!       char pbuf[32];
462fb2
        strcpy (pbuf, DEV_FD_PREFIX);
462fb2
        strcat (pbuf, path + 8);
462fb2
--- 109,113 ----
462fb2
       On most systems, with the notable exception of linux, this is
462fb2
       effectively a no-op. */
462fb2
!       pbuf = xrealloc (pbuf, sizeof (DEV_FD_PREFIX) + strlen (path + 8));
462fb2
        strcpy (pbuf, DEV_FD_PREFIX);
462fb2
        strcat (pbuf, path + 8);
462fb2
*** ../bash-4.2-patched/patchlevel.h	Sat Jun 12 20:14:48 2010
462fb2
--- patchlevel.h	Thu Feb 24 21:41:34 2011
462fb2
***************
462fb2
*** 26,30 ****
462fb2
     looks for to find the patch level (for the sccs version string). */
462fb2
  
462fb2
! #define PATCHLEVEL 32
462fb2
  
462fb2
  #endif /* _PATCHLEVEL_H_ */
462fb2
--- 26,30 ----
462fb2
     looks for to find the patch level (for the sccs version string). */
462fb2
  
462fb2
! #define PATCHLEVEL 33
462fb2
  
462fb2
  #endif /* _PATCHLEVEL_H_ */