Bug 1204787 – VUL-0: CVE-2022-3715: bash: heap-buffer-overflow in valid_parameter_transform

Bug 1204787 - (CVE-2022-3715) VUL-0: CVE-2022-3715: bash: heap-buffer-overflow in valid_parameter_transform

(CVE-2022-3715)
Summary:	VUL-0: CVE-2022-3715: bash: heap-buffer-overflow in valid_parameter_transform

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assigned To:	Dr. Werner Fink
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/346346/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-10-27 09:25 UTC by Alexander Bergmann
Modified:	2022-10-27 12:06 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2022-10-27 09:25:20 UTC

rh#2126720

A heap-buffer-overflow in valid_parameter_transform function.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2126720
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3715

Comment 1 Alexander Bergmann 2022-10-27 09:49:12 UTC

The valid_parameter_transform function is only present since bash version 5.1.

SUSE:SLE-11-SP3:Update  bash-3.2
SUSE:SLE-12-SP2:Update  bash-4.3
SUSE:SLE-15:Update      bash-4.4
SUSE:SLE-15-SP3:Update  bash-4.4
SUSE:SLE-15-SP4:Update  bash-4.4

And it looks like Factory has already the fix in question.

openSUSE:Factory        bash-5.2


Possible upstream fix:

--- a/subst.c
+++ b/subst.c
@@ -8660,7 +8660,7 @@ parameter_brace_transform (varname, value, estatep, xform, rtype, quoted, pflags
       return ((char *)NULL);
     }
 
-  if (valid_parameter_transform (xform) == 0)
+  if (xform[0] == 0 || valid_parameter_transform (xform) == 0)
     {
       this_command_name = oname;
       if (vtype == VT_VARIABLE)

Comment 2 Dr. Werner Fink 2022-10-27 10:30:30 UTC

(In reply to Alexander Bergmann from comment #0)
> rh#2126720
> 
> A heap-buffer-overflow in valid_parameter_transform function.
> 
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=2126720
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3715

Both links are not readable

Comment 3 Dr. Werner Fink 2022-10-27 10:44:42 UTC

(In reply to Alexander Bergmann from comment #1)
> The valid_parameter_transform function is only present since bash version
> 5.1.
> 
> SUSE:SLE-11-SP3:Update  bash-3.2
> SUSE:SLE-12-SP2:Update  bash-4.3
> SUSE:SLE-15:Update      bash-4.4
> SUSE:SLE-15-SP3:Update  bash-4.4
> SUSE:SLE-15-SP4:Update  bash-4.4


 bash/Updates> find -name subst.c
 ./SLE-12/bash-4.2/subst.c
 ./SLE-11-SP4/bash-3.2/subst.c
 ./SLE-12-SP2/bash-4.3/subst.c
 ./SLE-12-SP2/bash-4.3.sjis/subst.c
 ./SLE-11-SP4.testout/bash-3.2/subst.c
 ./SLE-15/bash-4.4/subst.c
 bash/Updates> find -name subst.c -exec grep valid_parameter_transform '{}' \+
 bash/Updates> 

> 
> And it looks like Factory has already the fix in question.
> 
> openSUSE:Factory        bash-5.2
> 
> 
> Possible upstream fix:
> 
> --- a/subst.c
> +++ b/subst.c
> @@ -8660,7 +8660,7 @@ parameter_brace_transform (varname, value, estatep,
> xform, rtype, quoted, pflags
>        return ((char *)NULL);
>      }
>  
> -  if (valid_parameter_transform (xform) == 0)
> +  if (xform[0] == 0 || valid_parameter_transform (xform) == 0)
>      {
>        this_command_name = oname;
>        if (vtype == VT_VARIABLE)

You might close this bug as we do not have bash 5.1 anymore on openSUSE:Factory

Comment 4 Alexander Bergmann 2022-10-27 12:06:22 UTC

Closed as fixed.