BASH PATCH REPORT ================= Bash-Release: 4.3 Patch-ID: bash43-035 Bug-Reported-by: Bug-Reference-ID: Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2014-08/msg00045.html Bug-Description: A locale with a long name can trigger a buffer overflow and core dump. This applies on systems that do not have locale_charset in libc, are not using GNU libiconv, and are not using the libintl that ships with bash in lib/intl. Patch (apply with `patch -p0'): *** ../bash-4.3-patched/lib/sh/unicode.c 2014-01-30 16:47:19.000000000 -0500 --- lib/sh/unicode.c 2015-05-01 08:58:30.000000000 -0400 *************** *** 79,83 **** if (s) { ! strcpy (charsetbuf, s+1); t = strchr (charsetbuf, '@'); if (t) --- 79,84 ---- if (s) { ! strncpy (charsetbuf, s+1, sizeof (charsetbuf) - 1); ! charsetbuf[sizeof (charsetbuf) - 1] = '\0'; t = strchr (charsetbuf, '@'); if (t) *************** *** 85,89 **** return charsetbuf; } ! strcpy (charsetbuf, locale); return charsetbuf; } --- 86,91 ---- return charsetbuf; } ! strncpy (charsetbuf, locale, sizeof (charsetbuf) - 1); ! charsetbuf[sizeof (charsetbuf) - 1] = '\0'; return charsetbuf; } *** ../bash-4.3/patchlevel.h 2012-12-29 10:47:57.000000000 -0500 --- patchlevel.h 2014-03-20 20:01:28.000000000 -0400 *************** *** 26,30 **** looks for to find the patch level (for the sccs version string). */ ! #define PATCHLEVEL 34 #endif /* _PATCHLEVEL_H_ */ --- 26,30 ---- looks for to find the patch level (for the sccs version string). */ ! #define PATCHLEVEL 35 #endif /* _PATCHLEVEL_H_ */