Created attachment 498096 [details]
bash42-033

This is the patch used for current bahs-4.2, I'll investigate which versions
of the current products including openSUSE are affected and will try to port
back the patch.

as this is a known sized stack buffer the fortify extension would probably trigger.

any idea how to reproduce this ?

Currently I've no idea but the code is used by the builtin test command of
the shell.

Nevetheless I'm ready to submit the fixed bash for openSUSE 11.4, 12.1, and 12.2
as well as for SLES10-SP3,  SLES11-SP1, and  SLES9-SP3 all based on the latest
bash package.

The update for openSUSE 12.2 could be skipped if the submit reqthe latest version in factory
will become part of 12.2

Args ... if the latest submit request #127401 for the bash will become
part of factory as well as for openSUSE 12.2

test -e /dev/fd/111111111111111111111111111111111111

*** buffer overflow detected ***: bash terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f26ac593997]
/lib64/libc.so.6(+0xf7ab0)[0x7f26ac591ab0]
bash(sh_stat+0x70)[0x450f31]
bash(unary_test+0x2f)[0x432d54]
bash[0x4332b8]
bash(test_command+0x10a)[0x4337b1]
bash(test_builtin+0x59)[0x44a116]
bash[0x472e56]
bash[0x45ccb6]
bash(execute_command_internal+0x2a8)[0x45dc28]
bash(execute_command+0x4a)[0x4732fa]
bash(reader_loop+0xcd)[0x47103d]
bash(main+0x13ac)[0x41b48a]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f26ac4bb455]
bash[0x470ccd]

The SWAMPID for this issue is 48205.
This issue was rated as moderate.
Please submit fixed packages until 2012-07-25.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Also note that there is bnc#715706 if we want to fix this along?

I am not entirely convinced we need to do an update yet.

SLES9-SP3 and above submit request id #20485
SLES10-SP3 and above submit request id #20486
SLES11-SP1 and above submit request id #20487
openSUSE 11.4 submit request id #127659
openSUSE 12.1 submit request id #127660

for 12.2 I'm waiting if bash for 12.2 will be the same as the bash 
I've submitted to factory, compare with request id #127401

bugbot adjusting priority

posted to oss-sec ... unclear if it will get a CVE yet

CVE-2012-3410

openSUSE 12.2 submit request id #128131

openSUSE-SU-2012:0898-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 770795
CVE References: CVE-2012-3410
Sources used:
openSUSE 12.1 (src):    bash-4.2-1.14.1
openSUSE 11.4 (src):    bash-4.1-20.28.1

This is an autogenerated message for OBS integration:
This bug (770795) was mentioned in
https://build.opensuse.org/request/show/129440 Evergreen:11.2 / bash

This is an autogenerated message for OBS integration:
This bug (770795) was mentioned in
https://build.opensuse.org/request/show/129666 Evergreen:11.2 / bash

released

Update released for: bash, bash-debuginfo, readline, readline-32bit, readline-devel, readline-devel-32bit
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Update released for: bash, bash-debuginfo, bash-x86, readline, readline-32bit, readline-64bit, readline-devel, readline-devel-32bit, readline-devel-64bit, readline-x86
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)

Update released for: bash, bash-debuginfo, bash-debuginfo-32bit, bash-debuginfo-x86, bash-debugsource, bash-doc, bash-x86, libreadline5, libreadline5-32bit, libreadline5-x86, readline-devel, readline-devel-32bit, readline-doc
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-DESKTOP 11-SP1-FOR-SP2 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)

Update released for: bash, readline, readline-devel
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)

*** Bug 826692 has been marked as a duplicate of this bug. ***