1 # Fix for CVE-2012-3410.
2 # Solaris-specific. There are no threads in bash, therefore
3 # no concurrency issues on accessing a static buffer.
4 # Not for upstream, their fix is too Linux-specific
5 --- lib/sh/eaccess.c 2012-10-09 12:45:17.924274300 -0700
6 +++ lib/sh/eaccess.c 2012-10-09 12:44:21.930979200 -0700
8 #if !defined (_POSIX_VERSION) && defined (HAVE_SYS_FILE_H)
10 #endif /* !_POSIX_VERSION */
12 +#include <string.h> /* memset(3C) */
13 +#include <limits.h> /* _XOPEN_PATH_MAX */
15 #include "posixstat.h"
22 - static char *pbuf = 0;
23 + static char pbuf[_XOPEN_PATH_MAX + 1];
28 trailing slash. Make sure /dev/fd/xx really uses DEV_FD_PREFIX/xx.
29 On most systems, with the notable exception of linux, this is
30 effectively a no-op. */
31 - pbuf = xrealloc (pbuf, sizeof (DEV_FD_PREFIX) + strlen (path + 8));
32 + /* The way CVE-2012-3410 was fixed is wrong */
33 + (void) memset (pbuf, '\0', sizeof(pbuf));
34 strcpy (pbuf, DEV_FD_PREFIX);
35 - strcat (pbuf, path + 8);
36 + strncat (pbuf, path + 8,
37 + (size_t) (sizeof(pbuf) - sizeof(DEV_FD_PREFIX)));
38 return (stat (pbuf, finfo));
39 #endif /* !HAVE_DEV_FD */