Problemunvalidated
mailstat() constructs paths using sprintf into fixed-size stack buffers (dir,file) sized PATH_MAX*2 — In lib/sh/mailstat.c (GNU Bash). Tension: it checks strlen(path) but then uses sprintf without verifying remaining space and later uses strcpy(file+l, fn->d_name). Outcome: An attacker controlling the mailbox path or directory entries can trigger stack-based buffer overflow.
d85294fa-5785-4ef1-a318-d1e58ca062a8
mailstat() constructs paths using sprintf into fixed-size stack buffers (dir,file) sized PATH_MAX*2 — In lib/sh/mailstat.c (GNU Bash). Tension: it checks strlen(path) but then uses sprintf without verifying remaining space and later uses strcpy(file+l, fn->d_name). Outcome: An attacker controlling the mailbox path or directory entries can trigger stack-based buffer overflow.