diff options
| author | Ross Burton <ross.burton@intel.com> | 2014-09-26 00:05:18 +0100 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-10-02 12:48:10 +0100 |
| commit | 3bde5804e329b582739414caf2c1534b6ab1ee3d (patch) | |
| tree | 6e7522a79cf0bd63457945aa1b14078e225ea652 | |
| parent | c084a21b1ae0d954e475f702bb36f045af285b0b (diff) | |
| download | poky-3bde5804e329b582739414caf2c1534b6ab1ee3d.tar.gz | |
bash: fix CVE-2014-6271
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
(From OE-Core master rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)
(From OE-Core rev: 05eecceb4d2a5821cd0ca0164610e9e6d68bb22c)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch | 77 | ||||
| -rw-r--r-- | meta/recipes-extended/bash/bash_3.2.48.bb | 1 |
2 files changed, 78 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch new file mode 100644 index 0000000000..7226ffb665 --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch | |||
| @@ -0,0 +1,77 @@ | |||
| 1 | Fix CVE-2014-6271, aka ShellShock. | ||
| 2 | |||
| 3 | Upstream-Status: Backport | ||
| 4 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
| 5 | |||
| 6 | *** ../bash-3.2.51/builtins/common.h 2006-03-06 09:38:44.000000000 -0500 | ||
| 7 | --- builtins/common.h 2014-09-16 19:08:02.000000000 -0400 | ||
| 8 | *************** | ||
| 9 | *** 34,37 **** | ||
| 10 | --- 34,39 ---- | ||
| 11 | |||
| 12 | /* Flags for describe_command, shared between type.def and command.def */ | ||
| 13 | + #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ | ||
| 14 | + #define SEVAL_ONECMD 0x100 /* only allow a single command */ | ||
| 15 | #define CDESC_ALL 0x001 /* type -a */ | ||
| 16 | #define CDESC_SHORTDESC 0x002 /* command -V */ | ||
| 17 | *** ../bash-3.2.51/builtins/evalstring.c 2008-11-15 17:47:04.000000000 -0500 | ||
| 18 | --- builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400 | ||
| 19 | *************** | ||
| 20 | *** 235,238 **** | ||
| 21 | --- 235,246 ---- | ||
| 22 | struct fd_bitmap *bitmap; | ||
| 23 | |||
| 24 | + if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) | ||
| 25 | + { | ||
| 26 | + internal_warning ("%s: ignoring function definition attempt", from_file); | ||
| 27 | + should_jump_to_top_level = 0; | ||
| 28 | + last_result = last_command_exit_value = EX_BADUSAGE; | ||
| 29 | + break; | ||
| 30 | + } | ||
| 31 | + | ||
| 32 | bitmap = new_fd_bitmap (FD_BITMAP_SIZE); | ||
| 33 | begin_unwind_frame ("pe_dispose"); | ||
| 34 | *************** | ||
| 35 | *** 292,295 **** | ||
| 36 | --- 300,306 ---- | ||
| 37 | dispose_fd_bitmap (bitmap); | ||
| 38 | discard_unwind_frame ("pe_dispose"); | ||
| 39 | + | ||
| 40 | + if (flags & SEVAL_ONECMD) | ||
| 41 | + break; | ||
| 42 | } | ||
| 43 | } | ||
| 44 | *** ../bash-3.2.51/variables.c 2008-11-15 17:15:06.000000000 -0500 | ||
| 45 | --- variables.c 2014-09-16 19:10:39.000000000 -0400 | ||
| 46 | *************** | ||
| 47 | *** 319,328 **** | ||
| 48 | strcpy (temp_string + char_index + 1, string); | ||
| 49 | |||
| 50 | ! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); | ||
| 51 | ! | ||
| 52 | ! /* Ancient backwards compatibility. Old versions of bash exported | ||
| 53 | ! functions like name()=() {...} */ | ||
| 54 | ! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') | ||
| 55 | ! name[char_index - 2] = '\0'; | ||
| 56 | |||
| 57 | if (temp_var = find_function (name)) | ||
| 58 | --- 319,326 ---- | ||
| 59 | strcpy (temp_string + char_index + 1, string); | ||
| 60 | |||
| 61 | ! /* Don't import function names that are invalid identifiers from the | ||
| 62 | ! environment. */ | ||
| 63 | ! if (legal_identifier (name)) | ||
| 64 | ! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); | ||
| 65 | |||
| 66 | if (temp_var = find_function (name)) | ||
| 67 | *************** | ||
| 68 | *** 333,340 **** | ||
| 69 | else | ||
| 70 | report_error (_("error importing function definition for `%s'"), name); | ||
| 71 | - | ||
| 72 | - /* ( */ | ||
| 73 | - if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') | ||
| 74 | - name[char_index - 2] = '('; /* ) */ | ||
| 75 | } | ||
| 76 | #if defined (ARRAY_VARS) | ||
| 77 | --- 331,334 ---- | ||
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb index fe04b28e7c..5849ed0169 100644 --- a/meta/recipes-extended/bash/bash_3.2.48.bb +++ b/meta/recipes-extended/bash/bash_3.2.48.bb | |||
| @@ -12,6 +12,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \ | |||
| 12 | file://mkbuiltins_have_stringize.patch \ | 12 | file://mkbuiltins_have_stringize.patch \ |
| 13 | file://build-tests.patch \ | 13 | file://build-tests.patch \ |
| 14 | file://test-output.patch \ | 14 | file://test-output.patch \ |
| 15 | file://cve-2014-6271.patch;striplevel=0 \ | ||
| 15 | file://run-ptest \ | 16 | file://run-ptest \ |
| 16 | " | 17 | " |
| 17 | 18 | ||