summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCatalin Popeanga <Catalin.Popeanga@enea.com>2014-10-09 14:24:53 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-10-16 16:05:56 +0200
commit4b302b8fa0d568e8aea3db15c3dde988d863661c (patch)
tree3fc66f8281c1971dc4707d833afe672a98a0cff8
parent7a9908432f6a5ffea73bbf16cef6eb9931f7d4e3 (diff)
downloadpoky-4b302b8fa0d568e8aea3db15c3dde988d863661c.tar.gz
bash: Fix for CVE-2014-6277
Follow up bash42-049 to parse properly function definitions in the values of environment variables, to not allow remote attackers to execute arbitrary code or to cause a denial of service. See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277 (From OE-Core daisy rev: 85961bcf81650992259cebb0ef1f1c6cdef3fefa) (From OE-Core rev: ae653aed4c6b7d8075cd464edcd2e01237bfc105) Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch44
-rw-r--r--meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch44
-rw-r--r--meta/recipes-extended/bash/bash_3.2.48.bb1
-rw-r--r--meta/recipes-extended/bash/bash_4.2.bb1
4 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch
new file mode 100644
index 0000000000..ed63916669
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch
@@ -0,0 +1,44 @@
1bash: Fix CVE-2014-6277 (shellshock)
2
3Upstream-status: backport
4
5Downloaded from:
6ftp://ftp.gnu.org/pub/bash/bash-3.2-patches/bash32-056
7
8Author: Chet Ramey <chet.ramey@case.edu>
9Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
10
11 BASH PATCH REPORT
12 =================
13
14Bash-Release: 3.2
15Patch-ID: bash32-056
16
17Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
18Bug-Reference-ID:
19Bug-Reference-URL:
20
21Bug-Description:
22
23When bash is parsing a function definition that contains a here-document
24delimited by end-of-file (or end-of-string), it leaves the closing delimiter
25uninitialized. This can result in an invalid memory access when the parsed
26function is later copied.
27---
28--- a/make_cmd.c 2006-09-12 09:21:22.000000000 -0400
29+++ b/make_cmd.c 2014-10-02 11:41:40.000000000 -0400
30@@ -677,4 +677,5 @@
31 temp->redirector = source;
32 temp->redirectee = dest_and_filename;
33+ temp->here_doc_eof = 0;
34 temp->instruction = instruction;
35 temp->flags = 0;
36--- a/copy_cmd.c 2003-10-07 11:43:44.000000000 -0400
37+++ b/copy_cmd.c 2014-10-02 11:41:40.000000000 -0400
38@@ -117,5 +117,5 @@
39 case r_reading_until:
40 case r_deblank_reading_until:
41- new_redirect->here_doc_eof = savestring (redirect->here_doc_eof);
42+ new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0;
43 /*FALLTHROUGH*/
44 case r_reading_string:
diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch
new file mode 100644
index 0000000000..83b40027cf
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch
@@ -0,0 +1,44 @@
1bash: Fix CVE-2014-6277 (shellshock)
2
3Upstream-status: backport
4
5Downloaded from:
6ftp://ftp.gnu.org/pub/bash/bash-4.3-patches/bash43-029
7
8Author: Chet Ramey <chet.ramey@case.edu>
9Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
10
11 BASH PATCH REPORT
12 =================
13
14Bash-Release: 4.3
15Patch-ID: bash43-029
16
17Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
18Bug-Reference-ID:
19Bug-Reference-URL:
20
21Bug-Description:
22
23When bash is parsing a function definition that contains a here-document
24delimited by end-of-file (or end-of-string), it leaves the closing delimiter
25uninitialized. This can result in an invalid memory access when the parsed
26function is later copied.
27---
28--- a/make_cmd.c 2011-12-16 08:08:01.000000000 -0500
29+++ b/make_cmd.c 2014-10-02 11:24:23.000000000 -0400
30@@ -693,4 +693,5 @@
31 temp->redirector = source;
32 temp->redirectee = dest_and_filename;
33+ temp->here_doc_eof = 0;
34 temp->instruction = instruction;
35 temp->flags = 0;
36--- a/copy_cmd.c 2009-09-11 16:28:02.000000000 -0400
37+++ b/copy_cmd.c 2014-10-02 11:24:23.000000000 -0400
38@@ -127,5 +127,5 @@
39 case r_reading_until:
40 case r_deblank_reading_until:
41- new_redirect->here_doc_eof = savestring (redirect->here_doc_eof);
42+ new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0;
43 /*FALLTHROUGH*/
44 case r_reading_string:
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
index f50bc636af..82816fdebc 100644
--- a/meta/recipes-extended/bash/bash_3.2.48.bb
+++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -14,6 +14,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
14 file://cve-2014-7169.patch \ 14 file://cve-2014-7169.patch \
15 file://Fix-for-bash-exported-function-namespace-change.patch \ 15 file://Fix-for-bash-exported-function-namespace-change.patch \
16 file://cve-2014-7186_cve-2014-7187.patch \ 16 file://cve-2014-7186_cve-2014-7187.patch \
17 file://cve-2014-6277.patch \
17 " 18 "
18 19
19SRC_URI[tarball.md5sum] = "338dcf975a93640bb3eaa843ca42e3f8" 20SRC_URI[tarball.md5sum] = "338dcf975a93640bb3eaa843ca42e3f8"
diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb
index 4ac0673a8c..1f49c46a54 100644
--- a/meta/recipes-extended/bash/bash_4.2.bb
+++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -25,6 +25,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
25 file://test-output.patch \ 25 file://test-output.patch \
26 file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \ 26 file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \
27 file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \ 27 file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \
28 file://cve-2014-6277.patch \
28 file://run-ptest \ 29 file://run-ptest \
29 " 30 "
30 31