Bug 1657

Summary: The point can be moved anywhere to the left of the line buffer
Product: [Retired] Red Hat Linux Reporter: huuskone
Component: readlineAssignee: David Lawrence <dkl>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 5.1Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-04-10 00:57:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description huuskone 1999-03-22 00:46:58 UTC 
By moving to the right from the start of line with arguments
1, 2^31-1, 2^31-n, consecutively, one can move the point
n characters to the left of the start of the line buffer.
Presumably, this can be used like a buffer overflow to break
out of a restricted shell, for instance.

I already wrote a patch, which I'm submitting for inspection
immediately.

------- Email Received From  Taneli Huuskonen <huuskone.fi> 03/21/99 20:09 -------


------- Email Received From  Taneli Huuskonen <huuskone.fi> 03/21/99 23:41 -------
Comment 1 Michael K. Johnson 1999-04-10 00:57:59 UTC 
Have you mentioned this to bug-readline?

It's not a security problem unless a setuid program uses readline
to read unsecured input or something similar is done, and I can't
think of an example off the top of my head.

The only restricted shell that we ship is smrsh (from sendmail)
and it does not use readline.

That said, I've applied your patch to our current development
tree.  However, it is always possible for patches to be dropped
from our set and it is always best to get fixes to the official
maintainers of programs, so I suggest bug-readline as
the best place to get this fixed for good.