diff options
author | Ross Burton <ross.burton@intel.com> | 2014-10-02 11:31:54 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-10-16 16:05:55 +0200 |
commit | c78877b07e137f467e7feb18e15fa06400f30881 (patch) | |
tree | b2fe17d290ef94f4cbcd354e8680ac52c3b88277 | |
parent | 02037d7daa1a24aecccc527a1ee6e78e1ed7c9dd (diff) | |
download | poky-c78877b07e137f467e7feb18e15fa06400f30881.tar.gz |
bash: fix CVE-2014-6271
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
(From OE-Core master rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)
(From OE-Core rev: d57b9ce8bb97f88c329da973c3567d04d8eb07d2)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch | 77 | ||||
-rw-r--r-- | meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch | 95 | ||||
-rw-r--r-- | meta/recipes-extended/bash/bash_3.2.48.bb | 1 | ||||
-rw-r--r-- | meta/recipes-extended/bash/bash_4.2.bb | 1 |
4 files changed, 174 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch new file mode 100644 index 0000000000..7226ffb665 --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | Fix CVE-2014-6271, aka ShellShock. | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
5 | |||
6 | *** ../bash-3.2.51/builtins/common.h 2006-03-06 09:38:44.000000000 -0500 | ||
7 | --- builtins/common.h 2014-09-16 19:08:02.000000000 -0400 | ||
8 | *************** | ||
9 | *** 34,37 **** | ||
10 | --- 34,39 ---- | ||
11 | |||
12 | /* Flags for describe_command, shared between type.def and command.def */ | ||
13 | + #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ | ||
14 | + #define SEVAL_ONECMD 0x100 /* only allow a single command */ | ||
15 | #define CDESC_ALL 0x001 /* type -a */ | ||
16 | #define CDESC_SHORTDESC 0x002 /* command -V */ | ||
17 | *** ../bash-3.2.51/builtins/evalstring.c 2008-11-15 17:47:04.000000000 -0500 | ||
18 | --- builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400 | ||
19 | *************** | ||
20 | *** 235,238 **** | ||
21 | --- 235,246 ---- | ||
22 | struct fd_bitmap *bitmap; | ||
23 | |||
24 | + if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) | ||
25 | + { | ||
26 | + internal_warning ("%s: ignoring function definition attempt", from_file); | ||
27 | + should_jump_to_top_level = 0; | ||
28 | + last_result = last_command_exit_value = EX_BADUSAGE; | ||
29 | + break; | ||
30 | + } | ||
31 | + | ||
32 | bitmap = new_fd_bitmap (FD_BITMAP_SIZE); | ||
33 | begin_unwind_frame ("pe_dispose"); | ||
34 | *************** | ||
35 | *** 292,295 **** | ||
36 | --- 300,306 ---- | ||
37 | dispose_fd_bitmap (bitmap); | ||
38 | discard_unwind_frame ("pe_dispose"); | ||
39 | + | ||
40 | + if (flags & SEVAL_ONECMD) | ||
41 | + break; | ||
42 | } | ||
43 | } | ||
44 | *** ../bash-3.2.51/variables.c 2008-11-15 17:15:06.000000000 -0500 | ||
45 | --- variables.c 2014-09-16 19:10:39.000000000 -0400 | ||
46 | *************** | ||
47 | *** 319,328 **** | ||
48 | strcpy (temp_string + char_index + 1, string); | ||
49 | |||
50 | ! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); | ||
51 | ! | ||
52 | ! /* Ancient backwards compatibility. Old versions of bash exported | ||
53 | ! functions like name()=() {...} */ | ||
54 | ! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') | ||
55 | ! name[char_index - 2] = '\0'; | ||
56 | |||
57 | if (temp_var = find_function (name)) | ||
58 | --- 319,326 ---- | ||
59 | strcpy (temp_string + char_index + 1, string); | ||
60 | |||
61 | ! /* Don't import function names that are invalid identifiers from the | ||
62 | ! environment. */ | ||
63 | ! if (legal_identifier (name)) | ||
64 | ! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); | ||
65 | |||
66 | if (temp_var = find_function (name)) | ||
67 | *************** | ||
68 | *** 333,340 **** | ||
69 | else | ||
70 | report_error (_("error importing function definition for `%s'"), name); | ||
71 | - | ||
72 | - /* ( */ | ||
73 | - if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') | ||
74 | - name[char_index - 2] = '('; /* ) */ | ||
75 | } | ||
76 | #if defined (ARRAY_VARS) | ||
77 | --- 331,334 ---- | ||
diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch new file mode 100644 index 0000000000..20530adf6c --- /dev/null +++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch | |||
@@ -0,0 +1,95 @@ | |||
1 | Fix CVE-2014-6271, aka ShellShock. This is the upstream 4.2 patchlevel 48, minus the hunk to | ||
2 | set the patch level. | ||
3 | |||
4 | Upstream-Status: Backport | ||
5 | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> | ||
6 | |||
7 | BASH PATCH REPORT | ||
8 | ================= | ||
9 | |||
10 | Bash-Release: 4.2 | ||
11 | Patch-ID: bash42-048 | ||
12 | |||
13 | Bug-Reported-by: Stephane Chazelas <stephane.chazelas@gmail.com> | ||
14 | Bug-Reference-ID: | ||
15 | Bug-Reference-URL: | ||
16 | |||
17 | Bug-Description: | ||
18 | |||
19 | Under certain circumstances, bash will execute user code while processing the | ||
20 | environment for exported function definitions. | ||
21 | |||
22 | Patch (apply with `patch -p0'): | ||
23 | |||
24 | *** ../bash-4.2.47/builtins/common.h 2010-05-30 18:31:51.000000000 -0400 | ||
25 | --- builtins/common.h 2014-09-16 19:35:45.000000000 -0400 | ||
26 | *************** | ||
27 | *** 36,39 **** | ||
28 | --- 36,41 ---- | ||
29 | |||
30 | /* Flags for describe_command, shared between type.def and command.def */ | ||
31 | + #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ | ||
32 | + #define SEVAL_ONECMD 0x100 /* only allow a single command */ | ||
33 | #define CDESC_ALL 0x001 /* type -a */ | ||
34 | #define CDESC_SHORTDESC 0x002 /* command -V */ | ||
35 | *** ../bash-4.2.47/builtins/evalstring.c 2010-11-23 08:22:15.000000000 -0500 | ||
36 | --- builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400 | ||
37 | *************** | ||
38 | *** 262,265 **** | ||
39 | --- 262,273 ---- | ||
40 | struct fd_bitmap *bitmap; | ||
41 | |||
42 | + if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) | ||
43 | + { | ||
44 | + internal_warning ("%s: ignoring function definition attempt", from_file); | ||
45 | + should_jump_to_top_level = 0; | ||
46 | + last_result = last_command_exit_value = EX_BADUSAGE; | ||
47 | + break; | ||
48 | + } | ||
49 | + | ||
50 | bitmap = new_fd_bitmap (FD_BITMAP_SIZE); | ||
51 | begin_unwind_frame ("pe_dispose"); | ||
52 | *************** | ||
53 | *** 322,325 **** | ||
54 | --- 330,336 ---- | ||
55 | dispose_fd_bitmap (bitmap); | ||
56 | discard_unwind_frame ("pe_dispose"); | ||
57 | + | ||
58 | + if (flags & SEVAL_ONECMD) | ||
59 | + break; | ||
60 | } | ||
61 | } | ||
62 | *** ../bash-4.2.47/variables.c 2011-03-01 16:15:20.000000000 -0500 | ||
63 | --- variables.c 2014-09-16 19:35:45.000000000 -0400 | ||
64 | *************** | ||
65 | *** 348,357 **** | ||
66 | strcpy (temp_string + char_index + 1, string); | ||
67 | |||
68 | ! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); | ||
69 | ! | ||
70 | ! /* Ancient backwards compatibility. Old versions of bash exported | ||
71 | ! functions like name()=() {...} */ | ||
72 | ! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') | ||
73 | ! name[char_index - 2] = '\0'; | ||
74 | |||
75 | if (temp_var = find_function (name)) | ||
76 | --- 348,355 ---- | ||
77 | strcpy (temp_string + char_index + 1, string); | ||
78 | |||
79 | ! /* Don't import function names that are invalid identifiers from the | ||
80 | ! environment. */ | ||
81 | ! if (legal_identifier (name)) | ||
82 | ! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); | ||
83 | |||
84 | if (temp_var = find_function (name)) | ||
85 | *************** | ||
86 | *** 362,369 **** | ||
87 | else | ||
88 | report_error (_("error importing function definition for `%s'"), name); | ||
89 | - | ||
90 | - /* ( */ | ||
91 | - if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') | ||
92 | - name[char_index - 2] = '('; /* ) */ | ||
93 | } | ||
94 | #if defined (ARRAY_VARS) | ||
95 | --- 360,363 ---- | ||
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb index 4e6f0f3ea1..cbe1ee6623 100644 --- a/meta/recipes-extended/bash/bash_3.2.48.bb +++ b/meta/recipes-extended/bash/bash_3.2.48.bb | |||
@@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \ | |||
10 | ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=patch002 \ | 10 | ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=patch002 \ |
11 | ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=patch003 \ | 11 | ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=patch003 \ |
12 | file://mkbuiltins_have_stringize.patch \ | 12 | file://mkbuiltins_have_stringize.patch \ |
13 | file://cve-2014-6271.patch;striplevel=0 \ | ||
13 | " | 14 | " |
14 | 15 | ||
15 | SRC_URI[tarball.md5sum] = "338dcf975a93640bb3eaa843ca42e3f8" | 16 | SRC_URI[tarball.md5sum] = "338dcf975a93640bb3eaa843ca42e3f8" |
diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb index fefe7b799d..83294b040a 100644 --- a/meta/recipes-extended/bash/bash_4.2.bb +++ b/meta/recipes-extended/bash/bash_4.2.bb | |||
@@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \ | |||
19 | ${GNU_MIRROR}/bash/bash-4.2-patches/bash42-010;apply=yes;striplevel=0;name=patch010 \ | 19 | ${GNU_MIRROR}/bash/bash-4.2-patches/bash42-010;apply=yes;striplevel=0;name=patch010 \ |
20 | file://execute_cmd.patch;striplevel=0 \ | 20 | file://execute_cmd.patch;striplevel=0 \ |
21 | file://mkbuiltins_have_stringize.patch \ | 21 | file://mkbuiltins_have_stringize.patch \ |
22 | file://cve-2014-6271.patch;striplevel=0 \ | ||
22 | file://build-tests.patch \ | 23 | file://build-tests.patch \ |
23 | file://test-output.patch \ | 24 | file://test-output.patch \ |
24 | file://run-ptest \ | 25 | file://run-ptest \ |