bash: Fix-for-CVE-2014-6278

This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277 See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 (From OE-Core daisy rev: de596b5f31e837dcd2ce991245eb5548f12d72ae) (From OE-Core rev: 1e155330f6cf132997b91a7cfdfe7de319410566) Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Catalin Popeanga <Catalin.Popeanga@enea.com> 2014-10-09 14:25:15 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-10-13 11:18:39 +0100
commit: bf7ac0aaa81a6c752ac1dfd2087de2b5dd5bfd37 (patch)
tree: 2d278570263726de712081ab3028be281d6113bf
parent: b03f4da5489608f06630c61060a1280a303c0d84 (diff)
download: poky-bf7ac0aaa81a6c752ac1dfd2087de2b5dd5bfd37.tar.gz
4 files changed, 228 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch
new file mode 100644
index 0000000000..e51ce05bb5
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch
@@ -0,0 +1,99 @@
+bash: Fix CVE-2014-6278 (shellshock)
+ 
+Upstream-status: backport
+ 
+Downloaded from: 
+ftp://ftp.gnu.org/pub/bash/bash-3.2-patches/bash32-057
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
+                             BASH PATCH REPORT
+                             =================
+Bash-Release: 3.2
+Patch-ID: bash32-057
+Bug-Reported-by:        Michal Zalewski <lcamtuf@coredump.cx>
+Bug-Reference-ID:
+Bug-Reference-URL:
+Bug-Description:
+A combination of nested command substitutions and function importing from
+the environment can cause bash to execute code appearing in the environment
+variable value following the function definition.
+--- a/builtins/evalstring.c     2014-09-16 19:08:02.000000000 -0400
+++ b/builtins/evalstring.c     2014-10-04 15:58:35.000000000 -0400
+@@ -44,4 +44,5 @@
+ #include "../redir.h"
+ #include "../trap.h"
+#include "../bashintl.h"
+ 
+ #if defined (HISTORY)
+@@ -235,10 +236,23 @@
+              struct fd_bitmap *bitmap;
+ 
+-             if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+             if (flags & SEVAL_FUNCDEF)
+                {
+-                 internal_warning ("%s: ignoring function definition attempt", from_file);
+-                 should_jump_to_top_level = 0;
+-                 last_result = last_command_exit_value = EX_BADUSAGE;
+-                 break;
+                 char *x;
+
+                 /* If the command parses to something other than a straight
+                    function definition, or if we have not consumed the entire
+                    string, or if the parser has transformed the function
+                    name (as parsing will if it begins or ends with shell
+                    whitespace, for example), reject the attempt */
+                 if (command->type != cm_function_def ||
+                     ((x = parser_remaining_input ()) && *x) ||
+                     (STREQ (from_file, command->value.Function_def->name->word) == 0))
+                   {
+                     internal_warning (_("%s: ignoring function definition attempt"), from_file);
+                     should_jump_to_top_level = 0;
+                     last_result = last_command_exit_value = EX_BADUSAGE;
+                     reset_parser ();
+                     break;
+                   }
+                }
+ 
+@@ -302,5 +316,8 @@
+ 
+              if (flags & SEVAL_ONECMD)
+-               break;
+               {
+                 reset_parser ();
+                 break;
+               }
+            }
+        }
+--- a/parse.y   2014-09-30 19:43:22.000000000 -0400
+++ b/parse.y   2014-10-04 15:58:35.000000000 -0400
+@@ -2125,4 +2125,14 @@
+ }
+ 
+char *
+parser_remaining_input ()
+{
+  if (shell_input_line == 0)
+    return 0;
+  if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)
+    return '\0';       /* XXX */
+  return (shell_input_line + shell_input_line_index);
+}
+
+ #ifdef INCLUDE_UNUSED
+ /* Back the input pointer up by one, effectively `ungetting' a character. */
+--- a/shell.h   2008-04-28 22:00:24.000000000 -0400
+++ b/shell.h   2014-10-04 15:58:35.000000000 -0400
+@@ -161,4 +161,6 @@
+ 
+ /* Let's try declaring these here. */
+extern char *parser_remaining_input __P((void));
+
+ extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));
+ extern void restore_parser_state __P((sh_parser_state_t *));
diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch
new file mode 100644
index 0000000000..b25314fcd7
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch
@@ -0,0 +1,127 @@
+bash: Fix CVE-2014-6278 (shellshock)
+ 
+Upstream-status: backport
+ 
+Downloaded from: 
+http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-053
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+                             BASH PATCH REPORT
+                             =================
+Bash-Release:   4.2
+Patch-ID:       bash42-053
+Bug-Reported-by:        Michal Zalewski <lcamtuf@coredump.cx>
+Bug-Reference-ID:
+Bug-Reference-URL:
+Bug-Description:
+A combination of nested command substitutions and function importing from
+the environment can cause bash to execute code appearing in the environment
+variable value following the function definition.
+Patch (apply with `patch -p0'):
+*** ../bash-4.2.52/builtins/evalstring.c        2014-09-16 19:35:45.000000000 -0400
+--- builtins/evalstring.c       2014-10-04 15:00:26.000000000 -0400
+***************
+*** 262,271 ****
+              struct fd_bitmap *bitmap;
+  
+!             if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+                {
+!                 internal_warning ("%s: ignoring function definition attempt", from_file);
+!                 should_jump_to_top_level = 0;
+!                 last_result = last_command_exit_value = EX_BADUSAGE;
+!                 break;
+                }
+  
+--- 262,284 ----
+              struct fd_bitmap *bitmap;
+  
+!             if (flags & SEVAL_FUNCDEF)
+                {
+!                 char *x;
+! 
+!                 /* If the command parses to something other than a straight
+!                    function definition, or if we have not consumed the entire
+!                    string, or if the parser has transformed the function
+!                    name (as parsing will if it begins or ends with shell
+!                    whitespace, for example), reject the attempt */
+!                 if (command->type != cm_function_def ||
+!                     ((x = parser_remaining_input ()) && *x) ||
+!                     (STREQ (from_file, command->value.Function_def->name->word) == 0))
+!                   {
+!                     internal_warning (_("%s: ignoring function definition attempt"), from_file);
+!                     should_jump_to_top_level = 0;
+!                     last_result = last_command_exit_value = EX_BADUSAGE;
+!                     reset_parser ();
+!                     break;
+!                   }
+                }
+  
+***************
+*** 332,336 ****
+  
+              if (flags & SEVAL_ONECMD)
+!               break;
+            }
+        }
+--- 345,352 ----
+  
+              if (flags & SEVAL_ONECMD)
+!               {
+!                 reset_parser ();
+!                 break;
+!               }
+            }
+        }
+*** ../bash-4.2.52/parse.y      2014-09-30 19:24:19.000000000 -0400
+--- parse.y     2014-10-04 15:00:26.000000000 -0400
+***************
+*** 2436,2439 ****
+--- 2436,2449 ----
+  }
+  
+ char *
+ parser_remaining_input ()
+ {
+   if (shell_input_line == 0)
+     return 0;
+   if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)
+     return '\0';      /* XXX */
+   return (shell_input_line + shell_input_line_index);
+ }
+ 
+  #ifdef INCLUDE_UNUSED
+  /* Back the input pointer up by one, effectively `ungetting' a character. */
+***************
+*** 3891,3896 ****
+    /* reset_parser clears shell_input_line and associated variables */
+    restore_input_line_state (&ls);
+!   if (interactive)
+!     token_to_read = 0;
+  
+    /* Need to find how many characters parse_and_execute consumed, update
+--- 3901,3906 ----
+    /* reset_parser clears shell_input_line and associated variables */
+    restore_input_line_state (&ls);
+! 
+!   token_to_read = 0;
+  
+    /* Need to find how many characters parse_and_execute consumed, update
+*** ../bash-4.2.52/shell.h      2011-11-21 18:03:32.000000000 -0500
+--- shell.h     2014-10-04 15:00:26.000000000 -0400
+***************
+*** 178,181 ****
+--- 178,183 ----
+  
+  /* Let's try declaring these here. */
+ extern char *parser_remaining_input __P((void));
+ 
+  extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));
+  extern void restore_parser_state __P((sh_parser_state_t *));
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
index 4bd97e7116..d642abd305 100644
--- a/meta/recipes-extended/bash/bash_3.2.48.bb
+++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -17,6 +17,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
           file://Fix-for-bash-exported-function-namespace-change.patch \
           file://cve-2014-7186_cve-2014-7187.patch \
           file://cve-2014-6277.patch \
+           file://cve-2014-6278.patch \
           file://run-ptest \
          "
diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb
index 35af8128c3..e2d391d81c 100644
--- a/meta/recipes-extended/bash/bash_4.2.bb
+++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -26,6 +26,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
           file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \
           file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \
           file://cve-2014-6277.patch \
+           file://cve-2014-6278.patch;striplevel=0 \
           file://run-ptest \
           "
author	Catalin Popeanga <Catalin.Popeanga@enea.com>	2014-10-09 14:25:15 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-10-13 11:18:39 +0100
commit	bf7ac0aaa81a6c752ac1dfd2087de2b5dd5bfd37 (patch)
tree	2d278570263726de712081ab3028be281d6113bf
parent	b03f4da5489608f06630c61060a1280a303c0d84 (diff)
download	poky-bf7ac0aaa81a6c752ac1dfd2087de2b5dd5bfd37.tar.gz

diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch new file mode 100644 index 0000000000..e51ce05bb5 --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch
@@ -0,0 +1,99 @@
		1	bash: Fix CVE-2014-6278 (shellshock)
		2
		3	Upstream-status: backport
		4
		5	Downloaded from:
		6	ftp://ftp.gnu.org/pub/bash/bash-3.2-patches/bash32-057
		7
		8	Author: Chet Ramey <chet.ramey@case.edu>
		9	Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
		10
		11	BASH PATCH REPORT
		12	=================
		13
		14	Bash-Release: 3.2
		15	Patch-ID: bash32-057
		16
		17	Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
		18	Bug-Reference-ID:
		19	Bug-Reference-URL:
		20
		21	Bug-Description:
		22
		23	A combination of nested command substitutions and function importing from
		24	the environment can cause bash to execute code appearing in the environment
		25	variable value following the function definition.
		26
		27	--- a/builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400
		28	+++ b/builtins/evalstring.c 2014-10-04 15:58:35.000000000 -0400
		29	@@ -44,4 +44,5 @@
		30	#include "../redir.h"
		31	#include "../trap.h"
		32	+#include "../bashintl.h"
		33
		34	#if defined (HISTORY)
		35	@@ -235,10 +236,23 @@
		36	struct fd_bitmap *bitmap;
		37
		38	- if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
		39	+ if (flags & SEVAL_FUNCDEF)
		40	{
		41	- internal_warning ("%s: ignoring function definition attempt", from_file);
		42	- should_jump_to_top_level = 0;
		43	- last_result = last_command_exit_value = EX_BADUSAGE;
		44	- break;
		45	+ char *x;
		46	+
		47	+ /* If the command parses to something other than a straight
		48	+ function definition, or if we have not consumed the entire
		49	+ string, or if the parser has transformed the function
		50	+ name (as parsing will if it begins or ends with shell
		51	+ whitespace, for example), reject the attempt */
		52	+ if (command->type != cm_function_def \|\|
		53	+ ((x = parser_remaining_input ()) && *x) \|\|
		54	+ (STREQ (from_file, command->value.Function_def->name->word) == 0))
		55	+ {
		56	+ internal_warning (_("%s: ignoring function definition attempt"), from_file);
		57	+ should_jump_to_top_level = 0;
		58	+ last_result = last_command_exit_value = EX_BADUSAGE;
		59	+ reset_parser ();
		60	+ break;
		61	+ }
		62	}
		63
		64	@@ -302,5 +316,8 @@
		65
		66	if (flags & SEVAL_ONECMD)
		67	- break;
		68	+ {
		69	+ reset_parser ();
		70	+ break;
		71	+ }
		72	}
		73	}
		74	--- a/parse.y 2014-09-30 19:43:22.000000000 -0400
		75	+++ b/parse.y 2014-10-04 15:58:35.000000000 -0400
		76	@@ -2125,4 +2125,14 @@
		77	}
		78
		79	+char *
		80	+parser_remaining_input ()
		81	+{
		82	+ if (shell_input_line == 0)
		83	+ return 0;
		84	+ if (shell_input_line_index < 0 \|\| shell_input_line_index >= shell_input_line_len)
		85	+ return '\0'; /* XXX */
		86	+ return (shell_input_line + shell_input_line_index);
		87	+}
		88	+
		89	#ifdef INCLUDE_UNUSED
		90	/* Back the input pointer up by one, effectively `ungetting' a character. */
		91	--- a/shell.h 2008-04-28 22:00:24.000000000 -0400
		92	+++ b/shell.h 2014-10-04 15:58:35.000000000 -0400
		93	@@ -161,4 +161,6 @@
		94
		95	/* Let's try declaring these here. */
		96	+extern char *parser_remaining_input __P((void));
		97	+
		98	extern sh_parser_state_t save_parser_state __P((sh_parser_state_t ));
		99	extern void restore_parser_state __P((sh_parser_state_t *));


diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch new file mode 100644 index 0000000000..b25314fcd7 --- /dev/null +++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch
@@ -0,0 +1,127 @@
		1	bash: Fix CVE-2014-6278 (shellshock)
		2
		3	Upstream-status: backport
		4
		5	Downloaded from:
		6	http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-053
		7
		8	Author: Chet Ramey <chet.ramey@case.edu>
		9	Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
		10
		11	BASH PATCH REPORT
		12	=================
		13
		14	Bash-Release: 4.2
		15	Patch-ID: bash42-053
		16
		17	Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
		18	Bug-Reference-ID:
		19	Bug-Reference-URL:
		20
		21	Bug-Description:
		22
		23	A combination of nested command substitutions and function importing from
		24	the environment can cause bash to execute code appearing in the environment
		25	variable value following the function definition.
		26
		27	Patch (apply with `patch -p0'):
		28
		29	*** ../bash-4.2.52/builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400
		30	--- builtins/evalstring.c 2014-10-04 15:00:26.000000000 -0400
		31	***************
		32	* 262,271 **
		33	struct fd_bitmap *bitmap;
		34
		35	! if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
		36	{
		37	! internal_warning ("%s: ignoring function definition attempt", from_file);
		38	! should_jump_to_top_level = 0;
		39	! last_result = last_command_exit_value = EX_BADUSAGE;
		40	! break;
		41	}
		42
		43	--- 262,284 ----
		44	struct fd_bitmap *bitmap;
		45
		46	! if (flags & SEVAL_FUNCDEF)
		47	{
		48	! char *x;
		49	!
		50	! /* If the command parses to something other than a straight
		51	! function definition, or if we have not consumed the entire
		52	! string, or if the parser has transformed the function
		53	! name (as parsing will if it begins or ends with shell
		54	! whitespace, for example), reject the attempt */
		55	! if (command->type != cm_function_def \|\|
		56	! ((x = parser_remaining_input ()) && *x) \|\|
		57	! (STREQ (from_file, command->value.Function_def->name->word) == 0))
		58	! {
		59	! internal_warning (_("%s: ignoring function definition attempt"), from_file);
		60	! should_jump_to_top_level = 0;
		61	! last_result = last_command_exit_value = EX_BADUSAGE;
		62	! reset_parser ();
		63	! break;
		64	! }
		65	}
		66
		67	***************
		68	* 332,336 **
		69
		70	if (flags & SEVAL_ONECMD)
		71	! break;
		72	}
		73	}
		74	--- 345,352 ----
		75
		76	if (flags & SEVAL_ONECMD)
		77	! {
		78	! reset_parser ();
		79	! break;
		80	! }
		81	}
		82	}
		83	*** ../bash-4.2.52/parse.y 2014-09-30 19:24:19.000000000 -0400
		84	--- parse.y 2014-10-04 15:00:26.000000000 -0400
		85	***************
		86	* 2436,2439 **
		87	--- 2436,2449 ----
		88	}
		89
		90	+ char *
		91	+ parser_remaining_input ()
		92	+ {
		93	+ if (shell_input_line == 0)
		94	+ return 0;
		95	+ if (shell_input_line_index < 0 \|\| shell_input_line_index >= shell_input_line_len)
		96	+ return '\0'; /* XXX */
		97	+ return (shell_input_line + shell_input_line_index);
		98	+ }
		99	+
		100	#ifdef INCLUDE_UNUSED
		101	/* Back the input pointer up by one, effectively `ungetting' a character. */
		102	***************
		103	* 3891,3896 **
		104	/* reset_parser clears shell_input_line and associated variables */
		105	restore_input_line_state (&ls);
		106	! if (interactive)
		107	! token_to_read = 0;
		108
		109	/* Need to find how many characters parse_and_execute consumed, update
		110	--- 3901,3906 ----
		111	/* reset_parser clears shell_input_line and associated variables */
		112	restore_input_line_state (&ls);
		113	!
		114	! token_to_read = 0;
		115
		116	/* Need to find how many characters parse_and_execute consumed, update
		117	*** ../bash-4.2.52/shell.h 2011-11-21 18:03:32.000000000 -0500
		118	--- shell.h 2014-10-04 15:00:26.000000000 -0400
		119	***************
		120	* 178,181 **
		121	--- 178,183 ----
		122
		123	/* Let's try declaring these here. */
		124	+ extern char *parser_remaining_input __P((void));
		125	+
		126	extern sh_parser_state_t save_parser_state __P((sh_parser_state_t ));
		127	extern void restore_parser_state __P((sh_parser_state_t *));


diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb index 4bd97e7116..d642abd305 100644 --- a/meta/recipes-extended/bash/bash_3.2.48.bb +++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -17,6 +17,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
17	file://Fix-for-bash-exported-function-namespace-change.patch \	17	file://Fix-for-bash-exported-function-namespace-change.patch \
18	file://cve-2014-7186_cve-2014-7187.patch \	18	file://cve-2014-7186_cve-2014-7187.patch \
19	file://cve-2014-6277.patch \	19	file://cve-2014-6277.patch \
		20	file://cve-2014-6278.patch \
20	file://run-ptest \	21	file://run-ptest \
21	"	22	"
22		23


diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb index 35af8128c3..e2d391d81c 100644 --- a/meta/recipes-extended/bash/bash_4.2.bb +++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -26,6 +26,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
26	file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \	26	file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \
27	file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \	27	file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \
28	file://cve-2014-6277.patch \	28	file://cve-2014-6277.patch \
		29	file://cve-2014-6278.patch;striplevel=0 \
29	file://run-ptest \	30	file://run-ptest \
30	"	31	"
31		32