{"id":"UBUNTU-CVE-2012-6711","details":"A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the \"echo -e\" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().","modified":"2026-02-04T03:44:26.092593Z","published":"2019-06-18T18:15:00Z","withdrawn":"2025-07-18T16:42:48Z","related":["USN-4180-1"],"upstream":["CVE-2012-6711"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2012-6711"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4180-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2012-6711"}],"affected":[{"package":{"name":"bash","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/bash@4.3-14ubuntu1.3?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3-14ubuntu1.3"}]}],"versions":["4.3-14ubuntu1","4.3-14ubuntu1.1","4.3-14ubuntu1.2"],"ecosystem_specific":{"binaries":[{"binary_name":"bash","binary_version":"4.3-14ubuntu1.3"},{"binary_name":"bash-builtins","binary_version":"4.3-14ubuntu1.3"},{"binary_name":"bash-dbgsym","binary_version":"4.3-14ubuntu1.3"},{"binary_name":"bash-doc","binary_version":"4.3-14ubuntu1.3"},{"binary_name":"bash-static","binary_version":"4.3-14ubuntu1.3"},{"binary_name":"bash-static-dbgsym","binary_version":"4.3-14ubuntu1.3"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2012/UBUNTU-CVE-2012-6711.json"}},{"package":{"name":"bash","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/bash@4.4.18-2ubuntu1.1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.4.18-2ubuntu1.1"}]}],"versions":["4.4-5ubuntu1","4.4.18-1ubuntu1","4.4.18-2ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"bash","binary_version":"4.4.18-2ubuntu1.1"},{"binary_name":"bash-builtins","binary_version":"4.4.18-2ubuntu1.1"},{"binary_name":"bash-builtins-dbgsym","binary_version":"4.4.18-2ubuntu1.1"},{"binary_name":"bash-dbgsym","binary_version":"4.4.18-2ubuntu1.1"},{"binary_name":"bash-doc","binary_version":"4.4.18-2ubuntu1.1"},{"binary_name":"bash-static","binary_version":"4.4.18-2ubuntu1.1"},{"binary_name":"bash-static-dbgsym","binary_version":"4.4.18-2ubuntu1.1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2012/UBUNTU-CVE-2012-6711.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}