summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-10-10 11:54:35 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-11-08 23:47:13 (GMT)
commit57531002b8be23ba24ecd53076cd337efa9accbb (patch)
treed49b35b9d3b27e2218312aaaa37244be1e62954c
parentc4061a0a689fd3f4e3fb5d5dd6357dc542973d45 (diff)
downloadpoky-57531002b8be23ba24ecd53076cd337efa9accbb.tar.gz
bash: Security fix CVE-2016-0634
References to upstream patch: https://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-047 http://openwall.com/lists/oss-security/2016/09/16/8 (From OE-Core rev: 24455c63494b7030b8a337f0dad98687d15d9ce6) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/bash/bash/CVE-2016-0634.patch136
-rw-r--r--meta/recipes-extended/bash/bash_4.3.30.bb1
2 files changed, 137 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash/CVE-2016-0634.patch b/meta/recipes-extended/bash/bash/CVE-2016-0634.patch
new file mode 100644
index 0000000..71c033e
--- /dev/null
+++ b/meta/recipes-extended/bash/bash/CVE-2016-0634.patch
@@ -0,0 +1,136 @@
1Bash-Release: 4.3
2Patch-ID: bash43-047
3
4Bug-Reported-by: Bernd Dietzel
5Bug-Reference-ID:
6Bug-Reference-URL: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025
7
8Bug-Description:
9
10Bash performs word expansions on the prompt strings after the special
11escape sequences are expanded. If a malicious user can modify the system
12hostname or change the name of the bash executable and coerce a user into
13executing it, and the new name contains word expansions (including
14command substitution), bash will expand them in prompt strings containing
15the \h or \H and \s escape sequences, respectively.
16
17Patch (apply with `patch -p0')
18
19CVE: CVE-2016-0634
20Upstream-Status: Backport
21Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
22
23*** ../bash-4.3-patched/parse.y 2015-08-13 15:11:54.000000000 -0400
24--- parse.y 2016-03-07 15:44:14.000000000 -0500
25***************
26*** 5259,5263 ****
27 int result_size, result_index;
28 int c, n, i;
29! char *temp, octal_string[4];
30 struct tm *tm;
31 time_t the_time;
32--- 5259,5263 ----
33 int result_size, result_index;
34 int c, n, i;
35! char *temp, *t_host, octal_string[4];
36 struct tm *tm;
37 time_t the_time;
38***************
39*** 5407,5411 ****
40 case 's':
41 temp = base_pathname (shell_name);
42! temp = savestring (temp);
43 goto add_string;
44
45--- 5407,5415 ----
46 case 's':
47 temp = base_pathname (shell_name);
48! /* Try to quote anything the user can set in the file system */
49! if (promptvars || posixly_correct)
50! temp = sh_backslash_quote_for_double_quotes (temp);
51! else
52! temp = savestring (temp);
53 goto add_string;
54
55***************
56*** 5497,5503 ****
57 case 'h':
58 case 'H':
59! temp = savestring (current_host_name);
60! if (c == 'h' && (t = (char *)strchr (temp, '.')))
61 *t = '\0';
62 goto add_string;
63
64--- 5501,5515 ----
65 case 'h':
66 case 'H':
67! t_host = savestring (current_host_name);
68! if (c == 'h' && (t = (char *)strchr (t_host, '.')))
69 *t = '\0';
70+ if (promptvars || posixly_correct)
71+ /* Make sure that expand_prompt_string is called with a
72+ second argument of Q_DOUBLE_QUOTES if we use this
73+ function here. */
74+ temp = sh_backslash_quote_for_double_quotes (t_host);
75+ else
76+ temp = savestring (t_host);
77+ free (t_host);
78 goto add_string;
79
80*** ../bash-4.3-patched/y.tab.c 2015-08-13 15:11:54.000000000 -0400
81--- y.tab.c 2016-03-07 15:44:14.000000000 -0500
82***************
83*** 7571,7575 ****
84 int result_size, result_index;
85 int c, n, i;
86! char *temp, octal_string[4];
87 struct tm *tm;
88 time_t the_time;
89--- 7571,7575 ----
90 int result_size, result_index;
91 int c, n, i;
92! char *temp, *t_host, octal_string[4];
93 struct tm *tm;
94 time_t the_time;
95***************
96*** 7719,7723 ****
97 case 's':
98 temp = base_pathname (shell_name);
99! temp = savestring (temp);
100 goto add_string;
101
102--- 7719,7727 ----
103 case 's':
104 temp = base_pathname (shell_name);
105! /* Try to quote anything the user can set in the file system */
106! if (promptvars || posixly_correct)
107! temp = sh_backslash_quote_for_double_quotes (temp);
108! else
109! temp = savestring (temp);
110 goto add_string;
111
112***************
113*** 7809,7815 ****
114 case 'h':
115 case 'H':
116! temp = savestring (current_host_name);
117! if (c == 'h' && (t = (char *)strchr (temp, '.')))
118 *t = '\0';
119 goto add_string;
120
121--- 7813,7827 ----
122 case 'h':
123 case 'H':
124! t_host = savestring (current_host_name);
125! if (c == 'h' && (t = (char *)strchr (t_host, '.')))
126 *t = '\0';
127+ if (promptvars || posixly_correct)
128+ /* Make sure that expand_prompt_string is called with a
129+ second argument of Q_DOUBLE_QUOTES if we use this
130+ function here. */
131+ temp = sh_backslash_quote_for_double_quotes (t_host);
132+ else
133+ temp = savestring (t_host);
134+ free (t_host);
135 goto add_string;
136
diff --git a/meta/recipes-extended/bash/bash_4.3.30.bb b/meta/recipes-extended/bash/bash_4.3.30.bb
index 95ed392..fcd6caf 100644
--- a/meta/recipes-extended/bash/bash_4.3.30.bb
+++ b/meta/recipes-extended/bash/bash_4.3.30.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
21 file://fix-run-coproc-run-heredoc-run-execscript-run-test-f.patch \ 21 file://fix-run-coproc-run-heredoc-run-execscript-run-test-f.patch \
22 file://run-ptest \ 22 file://run-ptest \
23 file://fix-run-builtins.patch \ 23 file://fix-run-builtins.patch \
24 file://CVE-2016-0634.patch;striplevel=0 \
24 " 25 "
25 26
26SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447" 27SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447"