bash: Fix-for-CVE-2014-6278

This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277 See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 (From OE-Core daisy rev: de596b5f31e837dcd2ce991245eb5548f12d72ae) (From OE-Core rev: 32e6864323cf2e4405b835cf474bcdf6fd572961) Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Catalin Popeanga <Catalin.Popeanga@enea.com> 2014-10-09 14:25:15 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-10-16 16:05:56 +0200
commit: c0456385ce606ca649922705721534a188dde4e0 (patch)
tree: cbc609db384b5ec966a0666f0fa4ba5ba78cecef
parent: 4b302b8fa0d568e8aea3db15c3dde988d863661c (diff)
download: poky-c0456385ce606ca649922705721534a188dde4e0.tar.gz
4 files changed, 228 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch
new file mode 100644
index 0000000000..e51ce05bb5
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch
@@ -0,0 +1,99 @@
+bash: Fix CVE-2014-6278 (shellshock)
+ 
+Upstream-status: backport
+ 
+Downloaded from: 
+ftp://ftp.gnu.org/pub/bash/bash-3.2-patches/bash32-057
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
+                             BASH PATCH REPORT
+                             =================
+Bash-Release: 3.2
+Patch-ID: bash32-057
+Bug-Reported-by:        Michal Zalewski <lcamtuf@coredump.cx>
+Bug-Reference-ID:
+Bug-Reference-URL:
+Bug-Description:
+A combination of nested command substitutions and function importing from
+the environment can cause bash to execute code appearing in the environment
+variable value following the function definition.
+--- a/builtins/evalstring.c     2014-09-16 19:08:02.000000000 -0400
+++ b/builtins/evalstring.c     2014-10-04 15:58:35.000000000 -0400
+@@ -44,4 +44,5 @@
+ #include "../redir.h"
+ #include "../trap.h"
+#include "../bashintl.h"
+ 
+ #if defined (HISTORY)
+@@ -235,10 +236,23 @@
+              struct fd_bitmap *bitmap;
+ 
+-             if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+             if (flags & SEVAL_FUNCDEF)
+                {
+-                 internal_warning ("%s: ignoring function definition attempt", from_file);
+-                 should_jump_to_top_level = 0;
+-                 last_result = last_command_exit_value = EX_BADUSAGE;
+-                 break;
+                 char *x;
+
+                 /* If the command parses to something other than a straight
+                    function definition, or if we have not consumed the entire
+                    string, or if the parser has transformed the function
+                    name (as parsing will if it begins or ends with shell
+                    whitespace, for example), reject the attempt */
+                 if (command->type != cm_function_def ||
+                     ((x = parser_remaining_input ()) && *x) ||
+                     (STREQ (from_file, command->value.Function_def->name->word) == 0))
+                   {
+                     internal_warning (_("%s: ignoring function definition attempt"), from_file);
+                     should_jump_to_top_level = 0;
+                     last_result = last_command_exit_value = EX_BADUSAGE;
+                     reset_parser ();
+                     break;
+                   }
+                }
+ 
+@@ -302,5 +316,8 @@
+ 
+              if (flags & SEVAL_ONECMD)
+-               break;
+               {
+                 reset_parser ();
+                 break;
+               }
+            }
+        }
+--- a/parse.y   2014-09-30 19:43:22.000000000 -0400
+++ b/parse.y   2014-10-04 15:58:35.000000000 -0400
+@@ -2125,4 +2125,14 @@
+ }
+ 
+char *
+parser_remaining_input ()
+{
+  if (shell_input_line == 0)
+    return 0;
+  if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)
+    return '\0';       /* XXX */
+  return (shell_input_line + shell_input_line_index);
+}
+
+ #ifdef INCLUDE_UNUSED
+ /* Back the input pointer up by one, effectively `ungetting' a character. */
+--- a/shell.h   2008-04-28 22:00:24.000000000 -0400
+++ b/shell.h   2014-10-04 15:58:35.000000000 -0400
+@@ -161,4 +161,6 @@
+ 
+ /* Let's try declaring these here. */
+extern char *parser_remaining_input __P((void));
+
+ extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));
+ extern void restore_parser_state __P((sh_parser_state_t *));
diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch
new file mode 100644
index 0000000000..b25314fcd7
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch
@@ -0,0 +1,127 @@
+bash: Fix CVE-2014-6278 (shellshock)
+ 
+Upstream-status: backport
+ 
+Downloaded from: 
+http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-053
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+                             BASH PATCH REPORT
+                             =================
+Bash-Release:   4.2
+Patch-ID:       bash42-053
+Bug-Reported-by:        Michal Zalewski <lcamtuf@coredump.cx>
+Bug-Reference-ID:
+Bug-Reference-URL:
+Bug-Description:
+A combination of nested command substitutions and function importing from
+the environment can cause bash to execute code appearing in the environment
+variable value following the function definition.
+Patch (apply with `patch -p0'):
+*** ../bash-4.2.52/builtins/evalstring.c        2014-09-16 19:35:45.000000000 -0400
+--- builtins/evalstring.c       2014-10-04 15:00:26.000000000 -0400
+***************
+*** 262,271 ****
+              struct fd_bitmap *bitmap;
+  
+!             if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+                {
+!                 internal_warning ("%s: ignoring function definition attempt", from_file);
+!                 should_jump_to_top_level = 0;
+!                 last_result = last_command_exit_value = EX_BADUSAGE;
+!                 break;
+                }
+  
+--- 262,284 ----
+              struct fd_bitmap *bitmap;
+  
+!             if (flags & SEVAL_FUNCDEF)
+                {
+!                 char *x;
+! 
+!                 /* If the command parses to something other than a straight
+!                    function definition, or if we have not consumed the entire
+!                    string, or if the parser has transformed the function
+!                    name (as parsing will if it begins or ends with shell
+!                    whitespace, for example), reject the attempt */
+!                 if (command->type != cm_function_def ||
+!                     ((x = parser_remaining_input ()) && *x) ||
+!                     (STREQ (from_file, command->value.Function_def->name->word) == 0))
+!                   {
+!                     internal_warning (_("%s: ignoring function definition attempt"), from_file);
+!                     should_jump_to_top_level = 0;
+!                     last_result = last_command_exit_value = EX_BADUSAGE;
+!                     reset_parser ();
+!                     break;
+!                   }
+                }
+  
+***************
+*** 332,336 ****
+  
+              if (flags & SEVAL_ONECMD)
+!               break;
+            }
+        }
+--- 345,352 ----
+  
+              if (flags & SEVAL_ONECMD)
+!               {
+!                 reset_parser ();
+!                 break;
+!               }
+            }
+        }
+*** ../bash-4.2.52/parse.y      2014-09-30 19:24:19.000000000 -0400
+--- parse.y     2014-10-04 15:00:26.000000000 -0400
+***************
+*** 2436,2439 ****
+--- 2436,2449 ----
+  }
+  
+ char *
+ parser_remaining_input ()
+ {
+   if (shell_input_line == 0)
+     return 0;
+   if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)
+     return '\0';      /* XXX */
+   return (shell_input_line + shell_input_line_index);
+ }
+ 
+  #ifdef INCLUDE_UNUSED
+  /* Back the input pointer up by one, effectively `ungetting' a character. */
+***************
+*** 3891,3896 ****
+    /* reset_parser clears shell_input_line and associated variables */
+    restore_input_line_state (&ls);
+!   if (interactive)
+!     token_to_read = 0;
+  
+    /* Need to find how many characters parse_and_execute consumed, update
+--- 3901,3906 ----
+    /* reset_parser clears shell_input_line and associated variables */
+    restore_input_line_state (&ls);
+! 
+!   token_to_read = 0;
+  
+    /* Need to find how many characters parse_and_execute consumed, update
+*** ../bash-4.2.52/shell.h      2011-11-21 18:03:32.000000000 -0500
+--- shell.h     2014-10-04 15:00:26.000000000 -0400
+***************
+*** 178,181 ****
+--- 178,183 ----
+  
+  /* Let's try declaring these here. */
+ extern char *parser_remaining_input __P((void));
+ 
+  extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));
+  extern void restore_parser_state __P((sh_parser_state_t *));
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
index 82816fdebc..bee4986025 100644
--- a/meta/recipes-extended/bash/bash_3.2.48.bb
+++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -15,6 +15,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
           file://Fix-for-bash-exported-function-namespace-change.patch \
           file://cve-2014-7186_cve-2014-7187.patch \
           file://cve-2014-6277.patch \
+           file://cve-2014-6278.patch \
          "
 SRC_URI[tarball.md5sum] = "338dcf975a93640bb3eaa843ca42e3f8"
diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb
index 1f49c46a54..c3e7126ad4 100644
--- a/meta/recipes-extended/bash/bash_4.2.bb
+++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -26,6 +26,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
           file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \
           file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \
           file://cve-2014-6277.patch \
+           file://cve-2014-6278.patch;striplevel=0 \
           file://run-ptest \
           "
author	Catalin Popeanga <Catalin.Popeanga@enea.com>	2014-10-09 14:25:15 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-10-16 16:05:56 +0200
commit	c0456385ce606ca649922705721534a188dde4e0 (patch)
tree	cbc609db384b5ec966a0666f0fa4ba5ba78cecef
parent	4b302b8fa0d568e8aea3db15c3dde988d863661c (diff)
download	poky-c0456385ce606ca649922705721534a188dde4e0.tar.gz

diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch new file mode 100644 index 0000000000..e51ce05bb5 --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch
@@ -0,0 +1,99 @@
		1	bash: Fix CVE-2014-6278 (shellshock)
		2
		3	Upstream-status: backport
		4
		5	Downloaded from:
		6	ftp://ftp.gnu.org/pub/bash/bash-3.2-patches/bash32-057
		7
		8	Author: Chet Ramey <chet.ramey@case.edu>
		9	Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
		10
		11	BASH PATCH REPORT
		12	=================
		13
		14	Bash-Release: 3.2
		15	Patch-ID: bash32-057
		16
		17	Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
		18	Bug-Reference-ID:
		19	Bug-Reference-URL:
		20
		21	Bug-Description:
		22
		23	A combination of nested command substitutions and function importing from
		24	the environment can cause bash to execute code appearing in the environment
		25	variable value following the function definition.
		26
		27	--- a/builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400
		28	+++ b/builtins/evalstring.c 2014-10-04 15:58:35.000000000 -0400
		29	@@ -44,4 +44,5 @@
		30	#include "../redir.h"
		31	#include "../trap.h"
		32	+#include "../bashintl.h"
		33
		34	#if defined (HISTORY)
		35	@@ -235,10 +236,23 @@
		36	struct fd_bitmap *bitmap;
		37
		38	- if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
		39	+ if (flags & SEVAL_FUNCDEF)
		40	{
		41	- internal_warning ("%s: ignoring function definition attempt", from_file);
		42	- should_jump_to_top_level = 0;
		43	- last_result = last_command_exit_value = EX_BADUSAGE;
		44	- break;
		45	+ char *x;
		46	+
		47	+ /* If the command parses to something other than a straight
		48	+ function definition, or if we have not consumed the entire
		49	+ string, or if the parser has transformed the function
		50	+ name (as parsing will if it begins or ends with shell
		51	+ whitespace, for example), reject the attempt */
		52	+ if (command->type != cm_function_def \|\|
		53	+ ((x = parser_remaining_input ()) && *x) \|\|
		54	+ (STREQ (from_file, command->value.Function_def->name->word) == 0))
		55	+ {
		56	+ internal_warning (_("%s: ignoring function definition attempt"), from_file);
		57	+ should_jump_to_top_level = 0;
		58	+ last_result = last_command_exit_value = EX_BADUSAGE;
		59	+ reset_parser ();
		60	+ break;
		61	+ }
		62	}
		63
		64	@@ -302,5 +316,8 @@
		65
		66	if (flags & SEVAL_ONECMD)
		67	- break;
		68	+ {
		69	+ reset_parser ();
		70	+ break;
		71	+ }
		72	}
		73	}
		74	--- a/parse.y 2014-09-30 19:43:22.000000000 -0400
		75	+++ b/parse.y 2014-10-04 15:58:35.000000000 -0400
		76	@@ -2125,4 +2125,14 @@
		77	}
		78
		79	+char *
		80	+parser_remaining_input ()
		81	+{
		82	+ if (shell_input_line == 0)
		83	+ return 0;
		84	+ if (shell_input_line_index < 0 \|\| shell_input_line_index >= shell_input_line_len)
		85	+ return '\0'; /* XXX */
		86	+ return (shell_input_line + shell_input_line_index);
		87	+}
		88	+
		89	#ifdef INCLUDE_UNUSED
		90	/* Back the input pointer up by one, effectively `ungetting' a character. */
		91	--- a/shell.h 2008-04-28 22:00:24.000000000 -0400
		92	+++ b/shell.h 2014-10-04 15:58:35.000000000 -0400
		93	@@ -161,4 +161,6 @@
		94
		95	/* Let's try declaring these here. */
		96	+extern char *parser_remaining_input __P((void));
		97	+
		98	extern sh_parser_state_t save_parser_state __P((sh_parser_state_t ));
		99	extern void restore_parser_state __P((sh_parser_state_t *));


diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch new file mode 100644 index 0000000000..b25314fcd7 --- /dev/null +++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch
@@ -0,0 +1,127 @@
		1	bash: Fix CVE-2014-6278 (shellshock)
		2
		3	Upstream-status: backport
		4
		5	Downloaded from:
		6	http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-053
		7
		8	Author: Chet Ramey <chet.ramey@case.edu>
		9	Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
		10
		11	BASH PATCH REPORT
		12	=================
		13
		14	Bash-Release: 4.2
		15	Patch-ID: bash42-053
		16
		17	Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
		18	Bug-Reference-ID:
		19	Bug-Reference-URL:
		20
		21	Bug-Description:
		22
		23	A combination of nested command substitutions and function importing from
		24	the environment can cause bash to execute code appearing in the environment
		25	variable value following the function definition.
		26
		27	Patch (apply with `patch -p0'):
		28
		29	*** ../bash-4.2.52/builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400
		30	--- builtins/evalstring.c 2014-10-04 15:00:26.000000000 -0400
		31	***************
		32	* 262,271 **
		33	struct fd_bitmap *bitmap;
		34
		35	! if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
		36	{
		37	! internal_warning ("%s: ignoring function definition attempt", from_file);
		38	! should_jump_to_top_level = 0;
		39	! last_result = last_command_exit_value = EX_BADUSAGE;
		40	! break;
		41	}
		42
		43	--- 262,284 ----
		44	struct fd_bitmap *bitmap;
		45
		46	! if (flags & SEVAL_FUNCDEF)
		47	{
		48	! char *x;
		49	!
		50	! /* If the command parses to something other than a straight
		51	! function definition, or if we have not consumed the entire
		52	! string, or if the parser has transformed the function
		53	! name (as parsing will if it begins or ends with shell
		54	! whitespace, for example), reject the attempt */
		55	! if (command->type != cm_function_def \|\|
		56	! ((x = parser_remaining_input ()) && *x) \|\|
		57	! (STREQ (from_file, command->value.Function_def->name->word) == 0))
		58	! {
		59	! internal_warning (_("%s: ignoring function definition attempt"), from_file);
		60	! should_jump_to_top_level = 0;
		61	! last_result = last_command_exit_value = EX_BADUSAGE;
		62	! reset_parser ();
		63	! break;
		64	! }
		65	}
		66
		67	***************
		68	* 332,336 **
		69
		70	if (flags & SEVAL_ONECMD)
		71	! break;
		72	}
		73	}
		74	--- 345,352 ----
		75
		76	if (flags & SEVAL_ONECMD)
		77	! {
		78	! reset_parser ();
		79	! break;
		80	! }
		81	}
		82	}
		83	*** ../bash-4.2.52/parse.y 2014-09-30 19:24:19.000000000 -0400
		84	--- parse.y 2014-10-04 15:00:26.000000000 -0400
		85	***************
		86	* 2436,2439 **
		87	--- 2436,2449 ----
		88	}
		89
		90	+ char *
		91	+ parser_remaining_input ()
		92	+ {
		93	+ if (shell_input_line == 0)
		94	+ return 0;
		95	+ if (shell_input_line_index < 0 \|\| shell_input_line_index >= shell_input_line_len)
		96	+ return '\0'; /* XXX */
		97	+ return (shell_input_line + shell_input_line_index);
		98	+ }
		99	+
		100	#ifdef INCLUDE_UNUSED
		101	/* Back the input pointer up by one, effectively `ungetting' a character. */
		102	***************
		103	* 3891,3896 **
		104	/* reset_parser clears shell_input_line and associated variables */
		105	restore_input_line_state (&ls);
		106	! if (interactive)
		107	! token_to_read = 0;
		108
		109	/* Need to find how many characters parse_and_execute consumed, update
		110	--- 3901,3906 ----
		111	/* reset_parser clears shell_input_line and associated variables */
		112	restore_input_line_state (&ls);
		113	!
		114	! token_to_read = 0;
		115
		116	/* Need to find how many characters parse_and_execute consumed, update
		117	*** ../bash-4.2.52/shell.h 2011-11-21 18:03:32.000000000 -0500
		118	--- shell.h 2014-10-04 15:00:26.000000000 -0400
		119	***************
		120	* 178,181 **
		121	--- 178,183 ----
		122
		123	/* Let's try declaring these here. */
		124	+ extern char *parser_remaining_input __P((void));
		125	+
		126	extern sh_parser_state_t save_parser_state __P((sh_parser_state_t ));
		127	extern void restore_parser_state __P((sh_parser_state_t *));


diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb index 82816fdebc..bee4986025 100644 --- a/meta/recipes-extended/bash/bash_3.2.48.bb +++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -15,6 +15,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
15	file://Fix-for-bash-exported-function-namespace-change.patch \	15	file://Fix-for-bash-exported-function-namespace-change.patch \
16	file://cve-2014-7186_cve-2014-7187.patch \	16	file://cve-2014-7186_cve-2014-7187.patch \
17	file://cve-2014-6277.patch \	17	file://cve-2014-6277.patch \
		18	file://cve-2014-6278.patch \
18	"	19	"
19		20
20	SRC_URI[tarball.md5sum] = "338dcf975a93640bb3eaa843ca42e3f8"	21	SRC_URI[tarball.md5sum] = "338dcf975a93640bb3eaa843ca42e3f8"


diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb index 1f49c46a54..c3e7126ad4 100644 --- a/meta/recipes-extended/bash/bash_4.2.bb +++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -26,6 +26,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
26	file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \	26	file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \
27	file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \	27	file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \
28	file://cve-2014-6277.patch \	28	file://cve-2014-6277.patch \
		29	file://cve-2014-6278.patch;striplevel=0 \
29	file://run-ptest \	30	file://run-ptest \
30	"	31	"
31		32