bash: fix CVE-2014-6271

CVE-2014-6271 aka ShellShock. "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment." (From OE-Core rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2014-09-26 00:05:18 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-09-29 12:12:46 +0100
commit: 215e7b98ae4865b0f24b1cb9c53161fef170b270 (patch)
tree: f42d68da7db2af51636641f6552690b4a6d2df61
parent: cf9fbf53b933d627bab71cc3f3dbb50a6bca3ec1 (diff)
download: poky-215e7b98ae4865b0f24b1cb9c53161fef170b270.tar.gz
4 files changed, 193 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch
new file mode 100644
index 0000000000..7226ffb665
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch
@@ -0,0 +1,77 @@
+Fix CVE-2014-6271, aka ShellShock.
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+*** ../bash-3.2.51/builtins/common.h    2006-03-06 09:38:44.000000000 -0500
+--- builtins/common.h   2014-09-16 19:08:02.000000000 -0400
+***************
+*** 34,37 ****
+--- 34,39 ----
+  
+  /* Flags for describe_command, shared between type.def and command.def */
+ #define SEVAL_FUNCDEF 0x080           /* only allow function definitions */
+ #define SEVAL_ONECMD  0x100           /* only allow a single command */
+  #define CDESC_ALL             0x001   /* type -a */
+  #define CDESC_SHORTDESC               0x002   /* command -V */
+*** ../bash-3.2.51/builtins/evalstring.c        2008-11-15 17:47:04.000000000 -0500
+--- builtins/evalstring.c       2014-09-16 19:08:02.000000000 -0400
+***************
+*** 235,238 ****
+--- 235,246 ----
+              struct fd_bitmap *bitmap;
+  
+             if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+               {
+                 internal_warning ("%s: ignoring function definition attempt", from_file);
+                 should_jump_to_top_level = 0;
+                 last_result = last_command_exit_value = EX_BADUSAGE;
+                 break;
+               }
+ 
+              bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+              begin_unwind_frame ("pe_dispose");
+***************
+*** 292,295 ****
+--- 300,306 ----
+              dispose_fd_bitmap (bitmap);
+              discard_unwind_frame ("pe_dispose");
+ 
+             if (flags & SEVAL_ONECMD)
+               break;
+            }
+        }
+*** ../bash-3.2.51/variables.c  2008-11-15 17:15:06.000000000 -0500
+--- variables.c 2014-09-16 19:10:39.000000000 -0400
+***************
+*** 319,328 ****
+          strcpy (temp_string + char_index + 1, string);
+  
+!         parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+! 
+!         /* Ancient backwards compatibility.  Old versions of bash exported
+!            functions like name()=() {...} */
+!         if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+!           name[char_index - 2] = '\0';
+  
+          if (temp_var = find_function (name))
+--- 319,326 ----
+          strcpy (temp_string + char_index + 1, string);
+  
+!         /* Don't import function names that are invalid identifiers from the
+!            environment. */
+!         if (legal_identifier (name))
+!           parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+  
+          if (temp_var = find_function (name))
+***************
+*** 333,340 ****
+          else
+            report_error (_("error importing function definition for `%s'"), name);
+- 
+-         /* ( */
+-         if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+-           name[char_index - 2] = '(';         /* ) */
+        }
+  #if defined (ARRAY_VARS)
+--- 331,334 ----
diff --git a/meta/recipes-extended/bash/bash/cve-2014-6271.patch b/meta/recipes-extended/bash/bash/cve-2014-6271.patch
new file mode 100644
index 0000000000..d33a5c8f47
--- /dev/null
+++ b/meta/recipes-extended/bash/bash/cve-2014-6271.patch
@@ -0,0 +1,114 @@
+Fix CVE-2014-6271, aka ShellShock.  This is the upstream 4.3 patchlevel 25, minus the hunk to
+set the patch level.
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+                             BASH PATCH REPORT
+                             =================
+Bash-Release:   4.3
+Patch-ID:       bash43-025
+Bug-Reported-by:        Stephane Chazelas <stephane.chazelas@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+Bug-Description:
+Under certain circumstances, bash will execute user code while processing the
+environment for exported function definitions.
+Patch (apply with `patch -p0'):
+*** ../bash-4.3-patched/builtins/common.h       2013-07-08 16:54:47.000000000 -0400
+--- builtins/common.h   2014-09-12 14:25:47.000000000 -0400
+***************
+*** 34,37 ****
+--- 49,54 ----
+  #define SEVAL_PARSEONLY       0x020
+  #define SEVAL_NOLONGJMP 0x040
+ #define SEVAL_FUNCDEF 0x080           /* only allow function definitions */
+ #define SEVAL_ONECMD  0x100           /* only allow a single command */
+  
+  /* Flags for describe_command, shared between type.def and command.def */
+*** ../bash-4.3-patched/builtins/evalstring.c   2014-02-11 09:42:10.000000000 -0500
+--- builtins/evalstring.c       2014-09-14 14:15:13.000000000 -0400
+***************
+*** 309,312 ****
+--- 313,324 ----
+              struct fd_bitmap *bitmap;
+  
+             if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+               {
+                 internal_warning ("%s: ignoring function definition attempt", from_file);
+                 should_jump_to_top_level = 0;
+                 last_result = last_command_exit_value = EX_BADUSAGE;
+                 break;
+               }
+ 
+              bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+              begin_unwind_frame ("pe_dispose");
+***************
+*** 369,372 ****
+--- 381,387 ----
+              dispose_fd_bitmap (bitmap);
+              discard_unwind_frame ("pe_dispose");
+ 
+             if (flags & SEVAL_ONECMD)
+               break;
+            }
+        }
+*** ../bash-4.3-patched/variables.c     2014-05-15 08:26:50.000000000 -0400
+--- variables.c 2014-09-14 14:23:35.000000000 -0400
+***************
+*** 359,369 ****
+          strcpy (temp_string + char_index + 1, string);
+  
+!         if (posixly_correct == 0 || legal_identifier (name))
+!           parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+! 
+!         /* Ancient backwards compatibility.  Old versions of bash exported
+!            functions like name()=() {...} */
+!         if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+!           name[char_index - 2] = '\0';
+  
+          if (temp_var = find_function (name))
+--- 364,372 ----
+          strcpy (temp_string + char_index + 1, string);
+  
+!         /* Don't import function names that are invalid identifiers from the
+!            environment, though we still allow them to be defined as shell
+!            variables. */
+!         if (legal_identifier (name))
+!           parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+  
+          if (temp_var = find_function (name))
+***************
+*** 382,389 ****
+              report_error (_("error importing function definition for `%s'"), name);
+            }
+- 
+-         /* ( */
+-         if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+-           name[char_index - 2] = '(';         /* ) */
+        }
+  #if defined (ARRAY_VARS)
+--- 385,388 ----
+*** ../bash-4.3-patched/subst.c 2014-08-11 11:16:35.000000000 -0400
+--- subst.c     2014-09-12 15:31:04.000000000 -0400
+***************
+*** 8048,8052 ****
+          goto return0;
+        }
+!       else if (var = find_variable_last_nameref (temp1))
+        {
+          temp = nameref_cell (var);
+--- 8118,8124 ----
+          goto return0;
+        }
+!       else if (var && (invisible_p (var) || var_isset (var) == 0))
+!       temp = (char *)NULL;
+!       else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
+        {
+          temp = nameref_cell (var);
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
index fe04b28e7c..5849ed0169 100644
--- a/meta/recipes-extended/bash/bash_3.2.48.bb
+++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -12,6 +12,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
           file://mkbuiltins_have_stringize.patch \
           file://build-tests.patch \
           file://test-output.patch \
+           file://cve-2014-6271.patch;striplevel=0 \
           file://run-ptest \
          "
diff --git a/meta/recipes-extended/bash/bash_4.3.bb b/meta/recipes-extended/bash/bash_4.3.bb
index 25b7410c52..febaf338fa 100644
--- a/meta/recipes-extended/bash/bash_4.3.bb
+++ b/meta/recipes-extended/bash/bash_4.3.bb
@@ -9,6 +9,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
           file://mkbuiltins_have_stringize.patch \
           file://build-tests.patch \
           file://test-output.patch \
+           file://cve-2014-6271.patch;striplevel=0 \
           file://run-ptest \
           "
author	Ross Burton <ross.burton@intel.com>	2014-09-26 00:05:18 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-09-29 12:12:46 +0100
commit	215e7b98ae4865b0f24b1cb9c53161fef170b270 (patch)
tree	f42d68da7db2af51636641f6552690b4a6d2df61
parent	cf9fbf53b933d627bab71cc3f3dbb50a6bca3ec1 (diff)
download	poky-215e7b98ae4865b0f24b1cb9c53161fef170b270.tar.gz

diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch new file mode 100644 index 0000000000..7226ffb665 --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch
@@ -0,0 +1,77 @@
		1	Fix CVE-2014-6271, aka ShellShock.
		2
		3	Upstream-Status: Backport
		4	Signed-off-by: Ross Burton <ross.burton@intel.com>
		5
		6	*** ../bash-3.2.51/builtins/common.h 2006-03-06 09:38:44.000000000 -0500
		7	--- builtins/common.h 2014-09-16 19:08:02.000000000 -0400
		8	***************
		9	* 34,37 **
		10	--- 34,39 ----
		11
		12	/* Flags for describe_command, shared between type.def and command.def */
		13	+ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
		14	+ #define SEVAL_ONECMD 0x100 /* only allow a single command */
		15	#define CDESC_ALL 0x001 /* type -a */
		16	#define CDESC_SHORTDESC 0x002 /* command -V */
		17	*** ../bash-3.2.51/builtins/evalstring.c 2008-11-15 17:47:04.000000000 -0500
		18	--- builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400
		19	***************
		20	* 235,238 **
		21	--- 235,246 ----
		22	struct fd_bitmap *bitmap;
		23
		24	+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
		25	+ {
		26	+ internal_warning ("%s: ignoring function definition attempt", from_file);
		27	+ should_jump_to_top_level = 0;
		28	+ last_result = last_command_exit_value = EX_BADUSAGE;
		29	+ break;
		30	+ }
		31	+
		32	bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
		33	begin_unwind_frame ("pe_dispose");
		34	***************
		35	* 292,295 **
		36	--- 300,306 ----
		37	dispose_fd_bitmap (bitmap);
		38	discard_unwind_frame ("pe_dispose");
		39	+
		40	+ if (flags & SEVAL_ONECMD)
		41	+ break;
		42	}
		43	}
		44	*** ../bash-3.2.51/variables.c 2008-11-15 17:15:06.000000000 -0500
		45	--- variables.c 2014-09-16 19:10:39.000000000 -0400
		46	***************
		47	* 319,328 **
		48	strcpy (temp_string + char_index + 1, string);
		49
		50	! parse_and_execute (temp_string, name, SEVAL_NONINT\|SEVAL_NOHIST);
		51	!
		52	! /* Ancient backwards compatibility. Old versions of bash exported
		53	! functions like name()=() {...} */
		54	! if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
		55	! name[char_index - 2] = '\0';
		56
		57	if (temp_var = find_function (name))
		58	--- 319,326 ----
		59	strcpy (temp_string + char_index + 1, string);
		60
		61	! /* Don't import function names that are invalid identifiers from the
		62	! environment. */
		63	! if (legal_identifier (name))
		64	! parse_and_execute (temp_string, name, SEVAL_NONINT\|SEVAL_NOHIST\|SEVAL_FUNCDEF\|SEVAL_ONECMD);
		65
		66	if (temp_var = find_function (name))
		67	***************
		68	* 333,340 **
		69	else
		70	report_error (_("error importing function definition for `%s'"), name);
		71	-
		72	- /* ( */
		73	- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
		74	- name[char_index - 2] = '('; /* ) */
		75	}
		76	#if defined (ARRAY_VARS)
		77	--- 331,334 ----


diff --git a/meta/recipes-extended/bash/bash/cve-2014-6271.patch b/meta/recipes-extended/bash/bash/cve-2014-6271.patch new file mode 100644 index 0000000000..d33a5c8f47 --- /dev/null +++ b/meta/recipes-extended/bash/bash/cve-2014-6271.patch
@@ -0,0 +1,114 @@
		1	Fix CVE-2014-6271, aka ShellShock. This is the upstream 4.3 patchlevel 25, minus the hunk to
		2	set the patch level.
		3
		4	Upstream-Status: Backport
		5	Signed-off-by: Ross Burton <ross.burton@intel.com>
		6
		7	BASH PATCH REPORT
		8	=================
		9
		10	Bash-Release: 4.3
		11	Patch-ID: bash43-025
		12
		13	Bug-Reported-by: Stephane Chazelas <stephane.chazelas@gmail.com>
		14	Bug-Reference-ID:
		15	Bug-Reference-URL:
		16
		17	Bug-Description:
		18
		19	Under certain circumstances, bash will execute user code while processing the
		20	environment for exported function definitions.
		21
		22	Patch (apply with `patch -p0'):
		23
		24	*** ../bash-4.3-patched/builtins/common.h 2013-07-08 16:54:47.000000000 -0400
		25	--- builtins/common.h 2014-09-12 14:25:47.000000000 -0400
		26	***************
		27	* 34,37 **
		28	--- 49,54 ----
		29	#define SEVAL_PARSEONLY 0x020
		30	#define SEVAL_NOLONGJMP 0x040
		31	+ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
		32	+ #define SEVAL_ONECMD 0x100 /* only allow a single command */
		33
		34	/* Flags for describe_command, shared between type.def and command.def */
		35	*** ../bash-4.3-patched/builtins/evalstring.c 2014-02-11 09:42:10.000000000 -0500
		36	--- builtins/evalstring.c 2014-09-14 14:15:13.000000000 -0400
		37	***************
		38	* 309,312 **
		39	--- 313,324 ----
		40	struct fd_bitmap *bitmap;
		41
		42	+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
		43	+ {
		44	+ internal_warning ("%s: ignoring function definition attempt", from_file);
		45	+ should_jump_to_top_level = 0;
		46	+ last_result = last_command_exit_value = EX_BADUSAGE;
		47	+ break;
		48	+ }
		49	+
		50	bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
		51	begin_unwind_frame ("pe_dispose");
		52	***************
		53	* 369,372 **
		54	--- 381,387 ----
		55	dispose_fd_bitmap (bitmap);
		56	discard_unwind_frame ("pe_dispose");
		57	+
		58	+ if (flags & SEVAL_ONECMD)
		59	+ break;
		60	}
		61	}
		62	*** ../bash-4.3-patched/variables.c 2014-05-15 08:26:50.000000000 -0400
		63	--- variables.c 2014-09-14 14:23:35.000000000 -0400
		64	***************
		65	* 359,369 **
		66	strcpy (temp_string + char_index + 1, string);
		67
		68	! if (posixly_correct == 0 \|\| legal_identifier (name))
		69	! parse_and_execute (temp_string, name, SEVAL_NONINT\|SEVAL_NOHIST);
		70	!
		71	! /* Ancient backwards compatibility. Old versions of bash exported
		72	! functions like name()=() {...} */
		73	! if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
		74	! name[char_index - 2] = '\0';
		75
		76	if (temp_var = find_function (name))
		77	--- 364,372 ----
		78	strcpy (temp_string + char_index + 1, string);
		79
		80	! /* Don't import function names that are invalid identifiers from the
		81	! environment, though we still allow them to be defined as shell
		82	! variables. */
		83	! if (legal_identifier (name))
		84	! parse_and_execute (temp_string, name, SEVAL_NONINT\|SEVAL_NOHIST\|SEVAL_FUNCDEF\|SEVAL_ONECMD);
		85
		86	if (temp_var = find_function (name))
		87	***************
		88	* 382,389 **
		89	report_error (_("error importing function definition for `%s'"), name);
		90	}
		91	-
		92	- /* ( */
		93	- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
		94	- name[char_index - 2] = '('; /* ) */
		95	}
		96	#if defined (ARRAY_VARS)
		97	--- 385,388 ----
		98	*** ../bash-4.3-patched/subst.c 2014-08-11 11:16:35.000000000 -0400
		99	--- subst.c 2014-09-12 15:31:04.000000000 -0400
		100	***************
		101	* 8048,8052 **
		102	goto return0;
		103	}
		104	! else if (var = find_variable_last_nameref (temp1))
		105	{
		106	temp = nameref_cell (var);
		107	--- 8118,8124 ----
		108	goto return0;
		109	}
		110	! else if (var && (invisible_p (var) \|\| var_isset (var) == 0))
		111	! temp = (char *)NULL;
		112	! else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
		113	{
		114	temp = nameref_cell (var);


diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb index fe04b28e7c..5849ed0169 100644 --- a/meta/recipes-extended/bash/bash_3.2.48.bb +++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -12,6 +12,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
12	file://mkbuiltins_have_stringize.patch \	12	file://mkbuiltins_have_stringize.patch \
13	file://build-tests.patch \	13	file://build-tests.patch \
14	file://test-output.patch \	14	file://test-output.patch \
		15	file://cve-2014-6271.patch;striplevel=0 \
15	file://run-ptest \	16	file://run-ptest \
16	"	17	"
17		18


diff --git a/meta/recipes-extended/bash/bash_4.3.bb b/meta/recipes-extended/bash/bash_4.3.bb index 25b7410c52..febaf338fa 100644 --- a/meta/recipes-extended/bash/bash_4.3.bb +++ b/meta/recipes-extended/bash/bash_4.3.bb
@@ -9,6 +9,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
9	file://mkbuiltins_have_stringize.patch \	9	file://mkbuiltins_have_stringize.patch \
10	file://build-tests.patch \	10	file://build-tests.patch \
11	file://test-output.patch \	11	file://test-output.patch \
		12	file://cve-2014-6271.patch;striplevel=0 \
12	file://run-ptest \	13	file://run-ptest \
13	"	14	"
14		15