BASH PATCH REPORT ================= Bash-Release: 4.3 Patch-ID: bash43-035 Bug-Reported-by: Bug-Reference-ID: Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2014-08/msg00045.html Bug-Description: A locale with a long name can trigger a buffer overflow and core dump. This applies on systems that do not have locale_charset in libc, are not using GNU libiconv, and are not using the libintl that ships with bash in lib/intl. Patch (apply with `patch -p0'): --- a/lib/sh/unicode.c +++ b/lib/sh/unicode.c @@ -78,13 +78,15 @@ stub_charset () s = strrchr (locale, '.'); if (s) { - strcpy (charsetbuf, s+1); + strncpy (charsetbuf, s+1, sizeof (charsetbuf) - 1); + charsetbuf[sizeof (charsetbuf) - 1] = '\0'; t = strchr (charsetbuf, '@'); if (t) *t = 0; return charsetbuf; } - strcpy (charsetbuf, locale); + strncpy (charsetbuf, locale, sizeof (charsetbuf) - 1); + charsetbuf[sizeof (charsetbuf) - 1] = '\0'; return charsetbuf; } #endif --- a/patchlevel.h +++ b/patchlevel.h @@ -25,6 +25,6 @@ regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh looks for to find the patch level (for the sccs version string). */ -#define PATCHLEVEL 34 +#define PATCHLEVEL 35 #endif /* _PATCHLEVEL_H_ */