CVE-2012-6711: Buffer Overflow
First published: Mon Jun 17 2019(Updated: )
A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the "echo -e" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GNU Bash | >=4.2<=4.3 | |
| Redhat Enterprise Linux | =7.0 | |
| debian/bash | 5.1-2+deb11u1 5.2.15-2 5.2.32-1 | |
| redhat/bash | <4.3 | 4.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=863d31ae775d56b785dc5b0105b6d251515d81d5
- http://www.securityfocus.com/bid/108824
- https://bugzilla.redhat.com/show_bug.cgi?id=1721071
- https://support.f5.com/csp/article/K05122252
- https://support.f5.com/csp/article/K05122252?utm_source=f5support&utm_medium=RSS
- https://usn.ubuntu.com/4180-1/
- http://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=863d31ae775d56b785dc5b0105b6d251515d81d5
- https://support.f5.com/csp/article/K05122252?utm_source=f5support&amp;utm_medium=RSS
- https://launchpad.net/bugs/cve/CVE-2012-6711
- https://support.f5.com/csp/article/K05122252?utm_source=f5support&%3Butm_medium=RSS
- https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=863d31ae775d56b785dc5b0105b6d251515d81d5
- https://security-tracker.debian.org/tracker/CVE-2012-6711
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1721852
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6711
- https://nvd.nist.gov/vuln/detail/CVE-2012-6711
- https://ubuntu.com/security/CVE-2012-6711
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2012-6711.
What is the severity rating of CVE-2012-6711?
CVE-2012-6711 has a severity rating of 7.8 (high).
What is the affected software for CVE-2012-6711?
The affected software for CVE-2012-6711 includes GNU Bash versions before 4.3, Debian bash versions 5.0-4, 5.1-2+deb11u1, and 5.2.15-2, Ubuntu bash version 4.3-1, GNU Bash versions 4.2 and earlier, and Redhat Enterprise Linux version 7.0.
How can I fix CVE-2012-6711?
To fix CVE-2012-6711, you should update GNU Bash to version 4.3 or later, Debian bash to versions 5.0-4, 5.1-2+deb11u1, or 5.2.15-2, Ubuntu bash to version 4.3-1, or Redhat Enterprise Linux to a version higher than 7.0.
Where can I find more information about CVE-2012-6711?
You can find more information about CVE-2012-6711 at the following references: [1] http://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=863d31ae775d56b785dc5b0105b6d251515d81d5, [2] https://bugzilla.redhat.com/show_bug.cgi?id=1721071, [3] http://www.securityfocus.com/bid/108824.
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/first-publish-date
- agent/remedy
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/description
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-6711
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- vendor/gnu
- canonical/gnu bash
- version/gnu bash/4.2
- version/gnu bash/4.3
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- package-manager/debian
- package-manager/redhat