bash: Fix for CVE-2014-6277

Follow up bash42-049 to parse properly function definitions in the values of environment variables, to not allow remote attackers to execute arbitrary code or to cause a denial of service. See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277 (From OE-Core daisy rev: 85961bcf81650992259cebb0ef1f1c6cdef3fefa) (From OE-Core rev: 5a802295d1f40af6f21dd3ed7e4549fe033f03a0) Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Catalin Popeanga <Catalin.Popeanga@enea.com> 2014-10-09 14:24:53 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-10-13 11:18:39 +0100
commit: b03f4da5489608f06630c61060a1280a303c0d84 (patch)
tree: 953e0adb042544e2ee1b8ed8bf8e5ea8cd0f00c5
parent: db7891c164f8522358a850014754eb6a0bd64c2d (diff)
download: poky-b03f4da5489608f06630c61060a1280a303c0d84.tar.gz
4 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch
new file mode 100644
index 0000000000..ed63916669
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch
@@ -0,0 +1,44 @@
+bash: Fix CVE-2014-6277 (shellshock)
+ 
+Upstream-status: backport
+ 
+Downloaded from: 
+ftp://ftp.gnu.org/pub/bash/bash-3.2-patches/bash32-056
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
+                             BASH PATCH REPORT
+                             =================
+Bash-Release: 3.2
+Patch-ID: bash32-056
+Bug-Reported-by:        Michal Zalewski <lcamtuf@coredump.cx>
+Bug-Reference-ID:
+Bug-Reference-URL:
+Bug-Description:
+When bash is parsing a function definition that contains a here-document
+delimited by end-of-file (or end-of-string), it leaves the closing delimiter
+uninitialized.  This can result in an invalid memory access when the parsed
+function is later copied.
+---
+--- a/make_cmd.c        2006-09-12 09:21:22.000000000 -0400
+++ b/make_cmd.c        2014-10-02 11:41:40.000000000 -0400
+@@ -677,4 +677,5 @@
+   temp->redirector = source;
+   temp->redirectee = dest_and_filename;
+  temp->here_doc_eof = 0;
+   temp->instruction = instruction;
+   temp->flags = 0;
+--- a/copy_cmd.c        2003-10-07 11:43:44.000000000 -0400
+++ b/copy_cmd.c        2014-10-02 11:41:40.000000000 -0400
+@@ -117,5 +117,5 @@
+     case r_reading_until:
+     case r_deblank_reading_until:
+-      new_redirect->here_doc_eof = savestring (redirect->here_doc_eof);
+      new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0;
+       /*FALLTHROUGH*/
+     case r_reading_string:
diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch
new file mode 100644
index 0000000000..83b40027cf
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch
@@ -0,0 +1,44 @@
+bash: Fix CVE-2014-6277 (shellshock)
+ 
+Upstream-status: backport
+ 
+Downloaded from: 
+ftp://ftp.gnu.org/pub/bash/bash-4.3-patches/bash43-029
+ 
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
+                             BASH PATCH REPORT
+                             =================
+Bash-Release:   4.3
+Patch-ID:       bash43-029
+Bug-Reported-by:        Michal Zalewski <lcamtuf@coredump.cx>
+Bug-Reference-ID:
+Bug-Reference-URL:
+Bug-Description:
+When bash is parsing a function definition that contains a here-document
+delimited by end-of-file (or end-of-string), it leaves the closing delimiter
+uninitialized.  This can result in an invalid memory access when the parsed
+function is later copied.
+---
+--- a/make_cmd.c        2011-12-16 08:08:01.000000000 -0500
+++ b/make_cmd.c        2014-10-02 11:24:23.000000000 -0400
+@@ -693,4 +693,5 @@
+   temp->redirector = source;
+   temp->redirectee = dest_and_filename;
+  temp->here_doc_eof = 0;
+   temp->instruction = instruction;
+   temp->flags = 0;
+--- a/copy_cmd.c        2009-09-11 16:28:02.000000000 -0400
+++ b/copy_cmd.c        2014-10-02 11:24:23.000000000 -0400
+@@ -127,5 +127,5 @@
+     case r_reading_until:
+     case r_deblank_reading_until:
+-      new_redirect->here_doc_eof = savestring (redirect->here_doc_eof);
+      new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0;
+       /*FALLTHROUGH*/
+     case r_reading_string:
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
index 2b26ae75c2..4bd97e7116 100644
--- a/meta/recipes-extended/bash/bash_3.2.48.bb
+++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
           file://cve-2014-7169.patch \
           file://Fix-for-bash-exported-function-namespace-change.patch \
           file://cve-2014-7186_cve-2014-7187.patch \
+           file://cve-2014-6277.patch \
           file://run-ptest \
          "
diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb
index ae63ad3745..35af8128c3 100644
--- a/meta/recipes-extended/bash/bash_4.2.bb
+++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -25,6 +25,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
           file://cve-2014-7169.patch \
           file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \
           file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \
+           file://cve-2014-6277.patch \
           file://run-ptest \
           "
author	Catalin Popeanga <Catalin.Popeanga@enea.com>	2014-10-09 14:24:53 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-10-13 11:18:39 +0100
commit	b03f4da5489608f06630c61060a1280a303c0d84 (patch)
tree	953e0adb042544e2ee1b8ed8bf8e5ea8cd0f00c5
parent	db7891c164f8522358a850014754eb6a0bd64c2d (diff)
download	poky-b03f4da5489608f06630c61060a1280a303c0d84.tar.gz

diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch new file mode 100644 index 0000000000..ed63916669 --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch
@@ -0,0 +1,44 @@
		1	bash: Fix CVE-2014-6277 (shellshock)
		2
		3	Upstream-status: backport
		4
		5	Downloaded from:
		6	ftp://ftp.gnu.org/pub/bash/bash-3.2-patches/bash32-056
		7
		8	Author: Chet Ramey <chet.ramey@case.edu>
		9	Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
		10
		11	BASH PATCH REPORT
		12	=================
		13
		14	Bash-Release: 3.2
		15	Patch-ID: bash32-056
		16
		17	Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
		18	Bug-Reference-ID:
		19	Bug-Reference-URL:
		20
		21	Bug-Description:
		22
		23	When bash is parsing a function definition that contains a here-document
		24	delimited by end-of-file (or end-of-string), it leaves the closing delimiter
		25	uninitialized. This can result in an invalid memory access when the parsed
		26	function is later copied.
		27	---
		28	--- a/make_cmd.c 2006-09-12 09:21:22.000000000 -0400
		29	+++ b/make_cmd.c 2014-10-02 11:41:40.000000000 -0400
		30	@@ -677,4 +677,5 @@
		31	temp->redirector = source;
		32	temp->redirectee = dest_and_filename;
		33	+ temp->here_doc_eof = 0;
		34	temp->instruction = instruction;
		35	temp->flags = 0;
		36	--- a/copy_cmd.c 2003-10-07 11:43:44.000000000 -0400
		37	+++ b/copy_cmd.c 2014-10-02 11:41:40.000000000 -0400
		38	@@ -117,5 +117,5 @@
		39	case r_reading_until:
		40	case r_deblank_reading_until:
		41	- new_redirect->here_doc_eof = savestring (redirect->here_doc_eof);
		42	+ new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0;
		43	/FALLTHROUGH/
		44	case r_reading_string:


diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch new file mode 100644 index 0000000000..83b40027cf --- /dev/null +++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch
@@ -0,0 +1,44 @@
		1	bash: Fix CVE-2014-6277 (shellshock)
		2
		3	Upstream-status: backport
		4
		5	Downloaded from:
		6	ftp://ftp.gnu.org/pub/bash/bash-4.3-patches/bash43-029
		7
		8	Author: Chet Ramey <chet.ramey@case.edu>
		9	Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
		10
		11	BASH PATCH REPORT
		12	=================
		13
		14	Bash-Release: 4.3
		15	Patch-ID: bash43-029
		16
		17	Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
		18	Bug-Reference-ID:
		19	Bug-Reference-URL:
		20
		21	Bug-Description:
		22
		23	When bash is parsing a function definition that contains a here-document
		24	delimited by end-of-file (or end-of-string), it leaves the closing delimiter
		25	uninitialized. This can result in an invalid memory access when the parsed
		26	function is later copied.
		27	---
		28	--- a/make_cmd.c 2011-12-16 08:08:01.000000000 -0500
		29	+++ b/make_cmd.c 2014-10-02 11:24:23.000000000 -0400
		30	@@ -693,4 +693,5 @@
		31	temp->redirector = source;
		32	temp->redirectee = dest_and_filename;
		33	+ temp->here_doc_eof = 0;
		34	temp->instruction = instruction;
		35	temp->flags = 0;
		36	--- a/copy_cmd.c 2009-09-11 16:28:02.000000000 -0400
		37	+++ b/copy_cmd.c 2014-10-02 11:24:23.000000000 -0400
		38	@@ -127,5 +127,5 @@
		39	case r_reading_until:
		40	case r_deblank_reading_until:
		41	- new_redirect->here_doc_eof = savestring (redirect->here_doc_eof);
		42	+ new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0;
		43	/FALLTHROUGH/
		44	case r_reading_string:


diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb index 2b26ae75c2..4bd97e7116 100644 --- a/meta/recipes-extended/bash/bash_3.2.48.bb +++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
16	file://cve-2014-7169.patch \	16	file://cve-2014-7169.patch \
17	file://Fix-for-bash-exported-function-namespace-change.patch \	17	file://Fix-for-bash-exported-function-namespace-change.patch \
18	file://cve-2014-7186_cve-2014-7187.patch \	18	file://cve-2014-7186_cve-2014-7187.patch \
		19	file://cve-2014-6277.patch \
19	file://run-ptest \	20	file://run-ptest \
20	"	21	"
21		22


diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb index ae63ad3745..35af8128c3 100644 --- a/meta/recipes-extended/bash/bash_4.2.bb +++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -25,6 +25,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
25	file://cve-2014-7169.patch \	25	file://cve-2014-7169.patch \
26	file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \	26	file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \
27	file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \	27	file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \
		28	file://cve-2014-6277.patch \
28	file://run-ptest \	29	file://run-ptest \
29	"	30	"
30		31