summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCatalin Popeanga <Catalin.Popeanga@enea.com>2014-10-09 14:25:15 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-10-16 16:05:56 +0200
commitc0456385ce606ca649922705721534a188dde4e0 (patch)
treecbc609db384b5ec966a0666f0fa4ba5ba78cecef
parent4b302b8fa0d568e8aea3db15c3dde988d863661c (diff)
downloadpoky-c0456385ce606ca649922705721534a188dde4e0.tar.gz
bash: Fix-for-CVE-2014-6278
This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277 See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 (From OE-Core daisy rev: de596b5f31e837dcd2ce991245eb5548f12d72ae) (From OE-Core rev: 32e6864323cf2e4405b835cf474bcdf6fd572961) Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch99
-rw-r--r--meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch127
-rw-r--r--meta/recipes-extended/bash/bash_3.2.48.bb1
-rw-r--r--meta/recipes-extended/bash/bash_4.2.bb1
4 files changed, 228 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch
new file mode 100644
index 0000000000..e51ce05bb5
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch
@@ -0,0 +1,99 @@
1bash: Fix CVE-2014-6278 (shellshock)
2
3Upstream-status: backport
4
5Downloaded from:
6ftp://ftp.gnu.org/pub/bash/bash-3.2-patches/bash32-057
7
8Author: Chet Ramey <chet.ramey@case.edu>
9Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
10
11 BASH PATCH REPORT
12 =================
13
14Bash-Release: 3.2
15Patch-ID: bash32-057
16
17Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
18Bug-Reference-ID:
19Bug-Reference-URL:
20
21Bug-Description:
22
23A combination of nested command substitutions and function importing from
24the environment can cause bash to execute code appearing in the environment
25variable value following the function definition.
26
27--- a/builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400
28+++ b/builtins/evalstring.c 2014-10-04 15:58:35.000000000 -0400
29@@ -44,4 +44,5 @@
30 #include "../redir.h"
31 #include "../trap.h"
32+#include "../bashintl.h"
33
34 #if defined (HISTORY)
35@@ -235,10 +236,23 @@
36 struct fd_bitmap *bitmap;
37
38- if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
39+ if (flags & SEVAL_FUNCDEF)
40 {
41- internal_warning ("%s: ignoring function definition attempt", from_file);
42- should_jump_to_top_level = 0;
43- last_result = last_command_exit_value = EX_BADUSAGE;
44- break;
45+ char *x;
46+
47+ /* If the command parses to something other than a straight
48+ function definition, or if we have not consumed the entire
49+ string, or if the parser has transformed the function
50+ name (as parsing will if it begins or ends with shell
51+ whitespace, for example), reject the attempt */
52+ if (command->type != cm_function_def ||
53+ ((x = parser_remaining_input ()) && *x) ||
54+ (STREQ (from_file, command->value.Function_def->name->word) == 0))
55+ {
56+ internal_warning (_("%s: ignoring function definition attempt"), from_file);
57+ should_jump_to_top_level = 0;
58+ last_result = last_command_exit_value = EX_BADUSAGE;
59+ reset_parser ();
60+ break;
61+ }
62 }
63
64@@ -302,5 +316,8 @@
65
66 if (flags & SEVAL_ONECMD)
67- break;
68+ {
69+ reset_parser ();
70+ break;
71+ }
72 }
73 }
74--- a/parse.y 2014-09-30 19:43:22.000000000 -0400
75+++ b/parse.y 2014-10-04 15:58:35.000000000 -0400
76@@ -2125,4 +2125,14 @@
77 }
78
79+char *
80+parser_remaining_input ()
81+{
82+ if (shell_input_line == 0)
83+ return 0;
84+ if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)
85+ return '\0'; /* XXX */
86+ return (shell_input_line + shell_input_line_index);
87+}
88+
89 #ifdef INCLUDE_UNUSED
90 /* Back the input pointer up by one, effectively `ungetting' a character. */
91--- a/shell.h 2008-04-28 22:00:24.000000000 -0400
92+++ b/shell.h 2014-10-04 15:58:35.000000000 -0400
93@@ -161,4 +161,6 @@
94
95 /* Let's try declaring these here. */
96+extern char *parser_remaining_input __P((void));
97+
98 extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));
99 extern void restore_parser_state __P((sh_parser_state_t *));
diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch
new file mode 100644
index 0000000000..b25314fcd7
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch
@@ -0,0 +1,127 @@
1bash: Fix CVE-2014-6278 (shellshock)
2
3Upstream-status: backport
4
5Downloaded from:
6http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-053
7
8Author: Chet Ramey <chet.ramey@case.edu>
9Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
10
11 BASH PATCH REPORT
12 =================
13
14Bash-Release: 4.2
15Patch-ID: bash42-053
16
17Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
18Bug-Reference-ID:
19Bug-Reference-URL:
20
21Bug-Description:
22
23A combination of nested command substitutions and function importing from
24the environment can cause bash to execute code appearing in the environment
25variable value following the function definition.
26
27Patch (apply with `patch -p0'):
28
29*** ../bash-4.2.52/builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400
30--- builtins/evalstring.c 2014-10-04 15:00:26.000000000 -0400
31***************
32*** 262,271 ****
33 struct fd_bitmap *bitmap;
34
35! if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
36 {
37! internal_warning ("%s: ignoring function definition attempt", from_file);
38! should_jump_to_top_level = 0;
39! last_result = last_command_exit_value = EX_BADUSAGE;
40! break;
41 }
42
43--- 262,284 ----
44 struct fd_bitmap *bitmap;
45
46! if (flags & SEVAL_FUNCDEF)
47 {
48! char *x;
49!
50! /* If the command parses to something other than a straight
51! function definition, or if we have not consumed the entire
52! string, or if the parser has transformed the function
53! name (as parsing will if it begins or ends with shell
54! whitespace, for example), reject the attempt */
55! if (command->type != cm_function_def ||
56! ((x = parser_remaining_input ()) && *x) ||
57! (STREQ (from_file, command->value.Function_def->name->word) == 0))
58! {
59! internal_warning (_("%s: ignoring function definition attempt"), from_file);
60! should_jump_to_top_level = 0;
61! last_result = last_command_exit_value = EX_BADUSAGE;
62! reset_parser ();
63! break;
64! }
65 }
66
67***************
68*** 332,336 ****
69
70 if (flags & SEVAL_ONECMD)
71! break;
72 }
73 }
74--- 345,352 ----
75
76 if (flags & SEVAL_ONECMD)
77! {
78! reset_parser ();
79! break;
80! }
81 }
82 }
83*** ../bash-4.2.52/parse.y 2014-09-30 19:24:19.000000000 -0400
84--- parse.y 2014-10-04 15:00:26.000000000 -0400
85***************
86*** 2436,2439 ****
87--- 2436,2449 ----
88 }
89
90+ char *
91+ parser_remaining_input ()
92+ {
93+ if (shell_input_line == 0)
94+ return 0;
95+ if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)
96+ return '\0'; /* XXX */
97+ return (shell_input_line + shell_input_line_index);
98+ }
99+
100 #ifdef INCLUDE_UNUSED
101 /* Back the input pointer up by one, effectively `ungetting' a character. */
102***************
103*** 3891,3896 ****
104 /* reset_parser clears shell_input_line and associated variables */
105 restore_input_line_state (&ls);
106! if (interactive)
107! token_to_read = 0;
108
109 /* Need to find how many characters parse_and_execute consumed, update
110--- 3901,3906 ----
111 /* reset_parser clears shell_input_line and associated variables */
112 restore_input_line_state (&ls);
113!
114! token_to_read = 0;
115
116 /* Need to find how many characters parse_and_execute consumed, update
117*** ../bash-4.2.52/shell.h 2011-11-21 18:03:32.000000000 -0500
118--- shell.h 2014-10-04 15:00:26.000000000 -0400
119***************
120*** 178,181 ****
121--- 178,183 ----
122
123 /* Let's try declaring these here. */
124+ extern char *parser_remaining_input __P((void));
125+
126 extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));
127 extern void restore_parser_state __P((sh_parser_state_t *));
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
index 82816fdebc..bee4986025 100644
--- a/meta/recipes-extended/bash/bash_3.2.48.bb
+++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -15,6 +15,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
15 file://Fix-for-bash-exported-function-namespace-change.patch \ 15 file://Fix-for-bash-exported-function-namespace-change.patch \
16 file://cve-2014-7186_cve-2014-7187.patch \ 16 file://cve-2014-7186_cve-2014-7187.patch \
17 file://cve-2014-6277.patch \ 17 file://cve-2014-6277.patch \
18 file://cve-2014-6278.patch \
18 " 19 "
19 20
20SRC_URI[tarball.md5sum] = "338dcf975a93640bb3eaa843ca42e3f8" 21SRC_URI[tarball.md5sum] = "338dcf975a93640bb3eaa843ca42e3f8"
diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb
index 1f49c46a54..c3e7126ad4 100644
--- a/meta/recipes-extended/bash/bash_4.2.bb
+++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -26,6 +26,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
26 file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \ 26 file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \
27 file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \ 27 file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \
28 file://cve-2014-6277.patch \ 28 file://cve-2014-6277.patch \
29 file://cve-2014-6278.patch;striplevel=0 \
29 file://run-ptest \ 30 file://run-ptest \
30 " 31 "
31 32