A vulnerability was found in popd. It can be tricked to free a user supplied address in the following way: $ popd +-111111 This could be used to bypass restricted shells (rsh) on some environments to cause use-after-free. References: http://seclists.org/oss-sec/2016/q4/445
Created bash tracking bugs for this issue: Affects: fedora-all [bug 1396387]
Upstream report: https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00099.html Upstream patch: https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00116.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:0725 https://rhn.redhat.com/errata/RHSA-2017-0725.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:1931 https://access.redhat.com/errata/RHSA-2017:1931