From https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-006 Signed-off-by: Peter Korsgaard BASH PATCH REPORT ================= Bash-Release: 4.4 Patch-ID: bash44-006 Bug-Reported-by: Bug-Reference-ID: Bug-Reference-URL: Bug-Description: Out-of-range negative offsets to popd can cause the shell to crash attempting to free an invalid memory block. Patch (apply with `patch -p0'): *** bash-4.4-patched/builtins/pushd.def 2016-01-25 13:31:49.000000000 -0500 --- b/builtins/pushd.def 2016-10-28 10:46:49.000000000 -0400 *************** *** 366,370 **** } ! if (which > directory_list_offset || (directory_list_offset == 0 && which == 0)) { pushd_error (directory_list_offset, which_word ? which_word : ""); --- b/366,370 ---- } ! if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0)) { pushd_error (directory_list_offset, which_word ? which_word : ""); *************** *** 388,391 **** --- b/388,396 ---- of the list into place. */ i = (direction == '+') ? directory_list_offset - which : which; + if (i < 0 || i > directory_list_offset) + { + pushd_error (directory_list_offset, which_word ? which_word : ""); + return (EXECUTION_FAILURE); + } free (pushd_directory_list[i]); directory_list_offset--; *** bash-4.4/patchlevel.h 2016-06-22 14:51:03.000000000 -0400 --- b/patchlevel.h 2016-10-01 11:01:28.000000000 -0400 *************** *** 26,30 **** looks for to find the patch level (for the sccs version string). */ ! #define PATCHLEVEL 5 #endif /* _PATCHLEVEL_H_ */ --- b/26,30 ---- looks for to find the patch level (for the sccs version string). */ ! #define PATCHLEVEL 6 #endif /* _PATCHLEVEL_H_ */