From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 20322 invoked from network); 25 Feb 2009 09:43:04 -0000 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,PLING_QUERY autolearn=no version=3.2.5 Received: from news.dotsrc.org (HELO a.mx.sunsite.dk) (130.225.247.88) by ns1.primenet.com.au with SMTP; 25 Feb 2009 09:43:04 -0000 Received-SPF: none (ns1.primenet.com.au: domain at sunsite.dk does not designate permitted sender hosts) Received: (qmail 57690 invoked from network); 25 Feb 2009 09:42:58 -0000 Received: from sunsite.dk (130.225.247.90) by a.mx.sunsite.dk with SMTP; 25 Feb 2009 09:42:58 -0000 Received: (qmail 12542 invoked by alias); 25 Feb 2009 09:42:53 -0000 Mailing-List: contact zsh-workers-help@sunsite.dk; run by ezmlm Precedence: bulk X-No-Archive: yes X-Seq: 26601 Received: (qmail 12528 invoked from network); 25 Feb 2009 09:42:53 -0000 Received: from bifrost.dotsrc.org (130.225.254.106) by sunsite.dk with SMTP; 25 Feb 2009 09:42:53 -0000 Received: from mail-bw0-f174.google.com (mail-bw0-f174.google.com [209.85.218.174]) by bifrost.dotsrc.org (Postfix) with ESMTP id D57E58058F83 for ; Wed, 25 Feb 2009 10:42:50 +0100 (CET) Received: by bwz22 with SMTP id 22so8068172bwz.21 for ; Wed, 25 Feb 2009 01:42:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=CU14r+bqmwj+4akyzQ4xuUnVrvW3P7aYj9h9EyxuuZw=; b=rBeqXzoZ6qAKWgg+tVaToeXSLUr6+U4T0i5F5MQ2SagbvCcdwN2MV+VZ1SwtwN9FdC 2Pm/3a9UJAgSB44ljrOVOxStAR+T4RfKbAGg/h0HrML3vGGDY21j73tjWNSPEID393XQ WfIpdz/eGkk7zvxfoO0u3aLely0zmVhYWCuPE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=DwF7wUtnidxZSkjCKldiTvc7gJPnPDSZIK/MYyajxP3kbmM9qZL0XfQcwMrwTTwrZD Iu+nhuwlvARVI4gKSNZvrgbHUQyVWMY/zuBbz/MSkfdNBvek/Ph5sBYBgWSckiAvWKbm mZ5cBLrimcRKTh28ok7DX8dfE6PztzZ9HsgfQ= MIME-Version: 1.0 Received: by 10.223.110.144 with SMTP id n16mr716406fap.63.1235554970031; Wed, 25 Feb 2009 01:42:50 -0800 (PST) Date: Wed, 25 Feb 2009 11:42:50 +0200 Message-ID: <8fa12ca90902250142s171605bekd87885e3dbc5c4a6@mail.gmail.com> Subject: Buffer overflow in "!" handling? From: DragonK To: zsh-workers@sunsite.dk Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.92.1/9045/Wed Feb 25 06:28:30 2009 on bifrost X-Virus-Status: Clean Hello, I've stumbled upon a buffer overflow in zsh 4.3.9 (and 4.3.6) related to the handling of the "!" character in the command line (Linux). It's triggerable by typing "!AAAAAAAAA...A" (lots of A's) at the zsh prompt (works better if zsh is compiled with stack protection, otherwise a lot of A's are needed :) ). A quick look at the code indicates the problem to be in hist.c, function histsubchar(), where buf[256] is getting overflowed (*ptr is used to write to the buffer, but no check is made to see if ptr passed the end of buf). I might be wrong though, I only took a couple of minutes to look at the code.