By moving to the right from the start of line with arguments 1, 2^31-1, 2^31-n, consecutively, one can move the point n characters to the left of the start of the line buffer. Presumably, this can be used like a buffer overflow to break out of a restricted shell, for instance. I already wrote a patch, which I'm submitting for inspection immediately. ------- Email Received From Taneli Huuskonen <huuskone.fi> 03/21/99 20:09 ------- ------- Email Received From Taneli Huuskonen <huuskone.fi> 03/21/99 23:41 -------
Have you mentioned this to bug-readline? It's not a security problem unless a setuid program uses readline to read unsecured input or something similar is done, and I can't think of an example off the top of my head. The only restricted shell that we ship is smrsh (from sendmail) and it does not use readline. That said, I've applied your patch to our current development tree. However, it is always possible for patches to be dropped from our set and it is always best to get fixes to the official maintainers of programs, so I suggest bug-readline as the best place to get this fixed for good.