Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1657 - The point can be moved anywhere to the left of the line buffer
Summary: The point can be moved anywhere to the left of the line buffer
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: readline
Version: 5.1
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: David Lawrence
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 1999-03-22 00:46 UTC by huuskone
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 1999-04-10 00:57:34 UTC

Attachments (Terms of Use)

Description huuskone 1999-03-22 00:46:58 UTC
By moving to the right from the start of line with arguments
1, 2^31-1, 2^31-n, consecutively, one can move the point
n characters to the left of the start of the line buffer.
Presumably, this can be used like a buffer overflow to break
out of a restricted shell, for instance.

I already wrote a patch, which I'm submitting for inspection

------- Email Received From  Taneli Huuskonen <> 03/21/99 20:09 -------

------- Email Received From  Taneli Huuskonen <> 03/21/99 23:41 -------

Comment 1 Michael K. Johnson 1999-04-10 00:57:59 UTC
Have you mentioned this to

It's not a security problem unless a setuid program uses readline
to read unsecured input or something similar is done, and I can't
think of an example off the top of my head.

The only restricted shell that we ship is smrsh (from sendmail)
and it does not use readline.

That said, I've applied your patch to our current development
tree.  However, it is always possible for patches to be dropped
from our set and it is always best to get fixes to the official
maintainers of programs, so I suggest as
the best place to get this fixed for good.

Note You need to log in before you can comment on or make changes to this bug.