Bug 1204787 - (CVE-2022-3715) VUL-0: CVE-2022-3715: bash: heap-buffer-overflow in valid_parameter_transform
(CVE-2022-3715)
VUL-0: CVE-2022-3715: bash: heap-buffer-overflow in valid_parameter_transform
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Dr. Werner Fink
Security Team bot
https://smash.suse.de/issue/346346/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-10-27 09:25 UTC by Alexander Bergmann
Modified: 2022-10-27 12:06 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-10-27 09:25:20 UTC
rh#2126720

A heap-buffer-overflow in valid_parameter_transform function.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2126720
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3715
Comment 1 Alexander Bergmann 2022-10-27 09:49:12 UTC
The valid_parameter_transform function is only present since bash version 5.1.

SUSE:SLE-11-SP3:Update  bash-3.2
SUSE:SLE-12-SP2:Update  bash-4.3
SUSE:SLE-15:Update      bash-4.4
SUSE:SLE-15-SP3:Update  bash-4.4
SUSE:SLE-15-SP4:Update  bash-4.4

And it looks like Factory has already the fix in question.

openSUSE:Factory        bash-5.2


Possible upstream fix:

--- a/subst.c
+++ b/subst.c
@@ -8660,7 +8660,7 @@ parameter_brace_transform (varname, value, estatep, xform, rtype, quoted, pflags
       return ((char *)NULL);
     }
 
-  if (valid_parameter_transform (xform) == 0)
+  if (xform[0] == 0 || valid_parameter_transform (xform) == 0)
     {
       this_command_name = oname;
       if (vtype == VT_VARIABLE)
Comment 2 Dr. Werner Fink 2022-10-27 10:30:30 UTC
(In reply to Alexander Bergmann from comment #0)
> rh#2126720
> 
> A heap-buffer-overflow in valid_parameter_transform function.
> 
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=2126720
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3715

Both links are not readable
Comment 3 Dr. Werner Fink 2022-10-27 10:44:42 UTC
(In reply to Alexander Bergmann from comment #1)
> The valid_parameter_transform function is only present since bash version
> 5.1.
> 
> SUSE:SLE-11-SP3:Update  bash-3.2
> SUSE:SLE-12-SP2:Update  bash-4.3
> SUSE:SLE-15:Update      bash-4.4
> SUSE:SLE-15-SP3:Update  bash-4.4
> SUSE:SLE-15-SP4:Update  bash-4.4


 bash/Updates> find -name subst.c
 ./SLE-12/bash-4.2/subst.c
 ./SLE-11-SP4/bash-3.2/subst.c
 ./SLE-12-SP2/bash-4.3/subst.c
 ./SLE-12-SP2/bash-4.3.sjis/subst.c
 ./SLE-11-SP4.testout/bash-3.2/subst.c
 ./SLE-15/bash-4.4/subst.c
 bash/Updates> find -name subst.c -exec grep valid_parameter_transform '{}' \+
 bash/Updates> 

> 
> And it looks like Factory has already the fix in question.
> 
> openSUSE:Factory        bash-5.2
> 
> 
> Possible upstream fix:
> 
> --- a/subst.c
> +++ b/subst.c
> @@ -8660,7 +8660,7 @@ parameter_brace_transform (varname, value, estatep,
> xform, rtype, quoted, pflags
>        return ((char *)NULL);
>      }
>  
> -  if (valid_parameter_transform (xform) == 0)
> +  if (xform[0] == 0 || valid_parameter_transform (xform) == 0)
>      {
>        this_command_name = oname;
>        if (vtype == VT_VARIABLE)

You might close this bug as we do not have bash 5.1 anymore on openSUSE:Factory
Comment 4 Alexander Bergmann 2022-10-27 12:06:22 UTC
Closed as fixed.