summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCatalin Popeanga <Catalin.Popeanga@enea.com>2014-10-09 14:24:29 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-10-13 11:18:38 +0100
commitdb7891c164f8522358a850014754eb6a0bd64c2d (patch)
tree3664677b2d05743ee12871e92090d5a4c3f491af
parentf7dba9940cf6067f4a26de0151c0d5cc029a04f8 (diff)
downloadpoky-db7891c164f8522358a850014754eb6a0bd64c2d.tar.gz
bash: Fix for CVE-2014-7186 and CVE-2014-7187
This is a followup patch to incomplete CVE-2014-6271 fix code execution via specially-crafted environment https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 (From OE-Core daisy rev: 153d1125659df9e5c09e35a58bd51be184cb13c1) (From OE-Core rev: bdfe1e3770aeee9a1a7c65d4834f1a99820d3140) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch99
-rw-r--r--meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch167
-rw-r--r--meta/recipes-extended/bash/bash_3.2.48.bb1
-rw-r--r--meta/recipes-extended/bash/bash_4.2.bb1
4 files changed, 268 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch
new file mode 100644
index 0000000000..dcb8ea44c5
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch
@@ -0,0 +1,99 @@
1bash: Fix for CVE-2014-7186 and CVE-2014-7187
2
3Upstream-Status: Backport {GNU Patch-ID: bash32-055}
4
5Downloaded from: http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-055
6
7Author: Chet Ramey <chet.ramey@case.edu>
8Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
9
10 BASH PATCH REPORT
11 =================
12
13Bash-Release: 3.2
14Patch-ID: bash32-055
15
16Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
17Bug-Reference-ID:
18Bug-Reference-URL:
19
20Bug-Description:
21
22There are two local buffer overflows in parse.y that can cause the shell
23to dump core when given many here-documents attached to a single command
24or many nested loops.
25---
26--- a/parse.y 2014-09-27 12:17:16.000000000 -0400
27+++ b/parse.y 2014-09-30 19:43:22.000000000 -0400
28@@ -166,4 +166,7 @@
29 static int reserved_word_acceptable __P((int));
30 static int yylex __P((void));
31+
32+static void push_heredoc __P((REDIRECT *));
33+static char *mk_alexpansion __P((char *));
34 static int alias_expand_token __P((char *));
35 static int time_command_acceptable __P((void));
36@@ -254,5 +257,7 @@
37 /* Variables to manage the task of reading here documents, because we need to
38 defer the reading until after a complete command has been collected. */
39-static REDIRECT *redir_stack[10];
40+#define HEREDOC_MAX 16
41+
42+static REDIRECT *redir_stack[HEREDOC_MAX];
43 int need_here_doc;
44
45@@ -280,5 +285,5 @@
46 index is decremented after a case, select, or for command is parsed. */
47 #define MAX_CASE_NEST 128
48-static int word_lineno[MAX_CASE_NEST];
49+static int word_lineno[MAX_CASE_NEST+1];
50 static int word_top = -1;
51
52@@ -425,5 +430,5 @@
53 redir.filename = $2;
54 $$ = make_redirection (0, r_reading_until, redir);
55- redir_stack[need_here_doc++] = $$;
56+ push_heredoc ($$);
57 }
58 | NUMBER LESS_LESS WORD
59@@ -431,5 +436,5 @@
60 redir.filename = $3;
61 $$ = make_redirection ($1, r_reading_until, redir);
62- redir_stack[need_here_doc++] = $$;
63+ push_heredoc ($$);
64 }
65 | LESS_LESS_LESS WORD
66@@ -488,5 +493,5 @@
67 $$ = make_redirection
68 (0, r_deblank_reading_until, redir);
69- redir_stack[need_here_doc++] = $$;
70+ push_heredoc ($$);
71 }
72 | NUMBER LESS_LESS_MINUS WORD
73@@ -495,5 +500,5 @@
74 $$ = make_redirection
75 ($1, r_deblank_reading_until, redir);
76- redir_stack[need_here_doc++] = $$;
77+ push_heredoc ($$);
78 }
79 | GREATER_AND '-'
80@@ -2214,4 +2219,19 @@
81 static int esacs_needed_count;
82
83+static void
84+push_heredoc (r)
85+ REDIRECT *r;
86+{
87+ if (need_here_doc >= HEREDOC_MAX)
88+ {
89+ last_command_exit_value = EX_BADUSAGE;
90+ need_here_doc = 0;
91+ report_syntax_error (_("maximum here-document count exceeded"));
92+ reset_parser ();
93+ exit_shell (last_command_exit_value);
94+ }
95+ redir_stack[need_here_doc++] = r;
96+}
97+
98 void
99 gather_here_documents ()
diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch
new file mode 100644
index 0000000000..b51ce5f444
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch
@@ -0,0 +1,167 @@
1bash: Fix for CVE-2014-7186 and CVE-2014-7187
2
3Upstream-Status: Backport {GNU Patch-ID: bash42-051}
4
5Downloaded from: http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-051
6
7Author: Chet Ramey <chet.ramey@case.edu>
8Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
9
10 BASH PATCH REPORT
11 =================
12
13Bash-Release: 4.2
14Patch-ID: bash42-051
15
16Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
17Bug-Reference-ID:
18Bug-Reference-URL:
19
20Bug-Description:
21
22There are two local buffer overflows in parse.y that can cause the shell
23to dump core when given many here-documents attached to a single command
24or many nested loops.
25
26Patch (apply with `patch -p0'):
27
28*** ../bash-4.2.50/parse.y 2014-09-27 12:18:53.000000000 -0400
29--- parse.y 2014-09-30 19:24:19.000000000 -0400
30***************
31*** 168,171 ****
32--- 168,174 ----
33 static int reserved_word_acceptable __P((int));
34 static int yylex __P((void));
35+
36+ static void push_heredoc __P((REDIRECT *));
37+ static char *mk_alexpansion __P((char *));
38 static int alias_expand_token __P((char *));
39 static int time_command_acceptable __P((void));
40***************
41*** 265,269 ****
42 /* Variables to manage the task of reading here documents, because we need to
43 defer the reading until after a complete command has been collected. */
44! static REDIRECT *redir_stack[10];
45 int need_here_doc;
46
47--- 268,274 ----
48 /* Variables to manage the task of reading here documents, because we need to
49 defer the reading until after a complete command has been collected. */
50! #define HEREDOC_MAX 16
51!
52! static REDIRECT *redir_stack[HEREDOC_MAX];
53 int need_here_doc;
54
55***************
56*** 307,311 ****
57 index is decremented after a case, select, or for command is parsed. */
58 #define MAX_CASE_NEST 128
59! static int word_lineno[MAX_CASE_NEST];
60 static int word_top = -1;
61
62--- 312,316 ----
63 index is decremented after a case, select, or for command is parsed. */
64 #define MAX_CASE_NEST 128
65! static int word_lineno[MAX_CASE_NEST+1];
66 static int word_top = -1;
67
68***************
69*** 520,524 ****
70 redir.filename = $2;
71 $$ = make_redirection (source, r_reading_until, redir, 0);
72! redir_stack[need_here_doc++] = $$;
73 }
74 | NUMBER LESS_LESS WORD
75--- 525,529 ----
76 redir.filename = $2;
77 $$ = make_redirection (source, r_reading_until, redir, 0);
78! push_heredoc ($$);
79 }
80 | NUMBER LESS_LESS WORD
81***************
82*** 527,531 ****
83 redir.filename = $3;
84 $$ = make_redirection (source, r_reading_until, redir, 0);
85! redir_stack[need_here_doc++] = $$;
86 }
87 | REDIR_WORD LESS_LESS WORD
88--- 532,536 ----
89 redir.filename = $3;
90 $$ = make_redirection (source, r_reading_until, redir, 0);
91! push_heredoc ($$);
92 }
93 | REDIR_WORD LESS_LESS WORD
94***************
95*** 534,538 ****
96 redir.filename = $3;
97 $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
98! redir_stack[need_here_doc++] = $$;
99 }
100 | LESS_LESS_MINUS WORD
101--- 539,543 ----
102 redir.filename = $3;
103 $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
104! push_heredoc ($$);
105 }
106 | LESS_LESS_MINUS WORD
107***************
108*** 541,545 ****
109 redir.filename = $2;
110 $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
111! redir_stack[need_here_doc++] = $$;
112 }
113 | NUMBER LESS_LESS_MINUS WORD
114--- 546,550 ----
115 redir.filename = $2;
116 $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
117! push_heredoc ($$);
118 }
119 | NUMBER LESS_LESS_MINUS WORD
120***************
121*** 548,552 ****
122 redir.filename = $3;
123 $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
124! redir_stack[need_here_doc++] = $$;
125 }
126 | REDIR_WORD LESS_LESS_MINUS WORD
127--- 553,557 ----
128 redir.filename = $3;
129 $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
130! push_heredoc ($$);
131 }
132 | REDIR_WORD LESS_LESS_MINUS WORD
133***************
134*** 555,559 ****
135 redir.filename = $3;
136 $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
137! redir_stack[need_here_doc++] = $$;
138 }
139 | LESS_LESS_LESS WORD
140--- 560,564 ----
141 redir.filename = $3;
142 $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
143! push_heredoc ($$);
144 }
145 | LESS_LESS_LESS WORD
146***************
147*** 2534,2537 ****
148--- 2539,2557 ----
149 static int esacs_needed_count;
150
151+ static void
152+ push_heredoc (r)
153+ REDIRECT *r;
154+ {
155+ if (need_here_doc >= HEREDOC_MAX)
156+ {
157+ last_command_exit_value = EX_BADUSAGE;
158+ need_here_doc = 0;
159+ report_syntax_error (_("maximum here-document count exceeded"));
160+ reset_parser ();
161+ exit_shell (last_command_exit_value);
162+ }
163+ redir_stack[need_here_doc++] = r;
164+ }
165+
166 void
167 gather_here_documents ()
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
index a5417f19cc..2b26ae75c2 100644
--- a/meta/recipes-extended/bash/bash_3.2.48.bb
+++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -15,6 +15,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
15 file://cve-2014-6271.patch;striplevel=0 \ 15 file://cve-2014-6271.patch;striplevel=0 \
16 file://cve-2014-7169.patch \ 16 file://cve-2014-7169.patch \
17 file://Fix-for-bash-exported-function-namespace-change.patch \ 17 file://Fix-for-bash-exported-function-namespace-change.patch \
18 file://cve-2014-7186_cve-2014-7187.patch \
18 file://run-ptest \ 19 file://run-ptest \
19 " 20 "
20 21
diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb
index 72222590ad..ae63ad3745 100644
--- a/meta/recipes-extended/bash/bash_4.2.bb
+++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
24 file://cve-2014-6271.patch;striplevel=0 \ 24 file://cve-2014-6271.patch;striplevel=0 \
25 file://cve-2014-7169.patch \ 25 file://cve-2014-7169.patch \
26 file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \ 26 file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \
27 file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \
27 file://run-ptest \ 28 file://run-ptest \
28 " 29 "
29 30