summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLi Zhou <li.zhou@windriver.com>2017-02-13 10:53:24 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-02-15 20:06:44 -0800
commit1b2857a781b6666feaf5d3c91dc02ac263d0c4f6 (patch)
treebb7a01c901c1601be9514130d451730f2ec2b959
parent70907e352e62c45566b07c4fca1d116ca8d1bbe5 (diff)
downloadpoky-1b2857a781b6666feaf5d3c91dc02ac263d0c4f6.tar.gz
bash: fix CVE-2016-9401
popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address. Porting patch from <https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/ bash44-006> to solve CVE-2016-9401. (From OE-Core rev: 6987b317d5ce8dc50a37ebba395aa8424bec358c) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/bash/bash/CVE-2016-9401.patch50
-rw-r--r--meta/recipes-extended/bash/bash_4.3.30.bb1
2 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash/CVE-2016-9401.patch b/meta/recipes-extended/bash/bash/CVE-2016-9401.patch
new file mode 100644
index 0000000000..28c927743c
--- /dev/null
+++ b/meta/recipes-extended/bash/bash/CVE-2016-9401.patch
@@ -0,0 +1,50 @@
1From fa741771ed47b30547be63b5b5dbfb51977aca12 Mon Sep 17 00:00:00 2001
2From: Chet Ramey <chet.ramey@case.edu>
3Date: Fri, 20 Jan 2017 11:47:31 -0500
4Subject: [PATCH] Bash-4.4 patch 6
5
6Bug-Reference-URL:
7https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00116.html
8
9Reference to upstream patch:
10https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/bash44-006
11
12Bug-Description:
13Out-of-range negative offsets to popd can cause the shell to crash attempting
14to free an invalid memory block.
15
16Upstream-Status: Backport
17CVE: CVE-2016-9401
18Signed-off-by: Li Zhou <li.zhou@windriver.com>
19---
20 builtins/pushd.def | 7 ++++++-
21 1 file changed, 6 insertions(+), 1 deletion(-)
22
23diff --git a/builtins/pushd.def b/builtins/pushd.def
24index 9c6548f..8a13bae 100644
25--- a/builtins/pushd.def
26+++ b/builtins/pushd.def
27@@ -359,7 +359,7 @@ popd_builtin (list)
28 break;
29 }
30
31- if (which > directory_list_offset || (directory_list_offset == 0 && which == 0))
32+ if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0))
33 {
34 pushd_error (directory_list_offset, which_word ? which_word : "");
35 return (EXECUTION_FAILURE);
36@@ -381,6 +381,11 @@ popd_builtin (list)
37 remove that directory from the list and shift the remainder
38 of the list into place. */
39 i = (direction == '+') ? directory_list_offset - which : which;
40+ if (i < 0 || i > directory_list_offset)
41+ {
42+ pushd_error (directory_list_offset, which_word ? which_word : "");
43+ return (EXECUTION_FAILURE);
44+ }
45 free (pushd_directory_list[i]);
46 directory_list_offset--;
47
48--
491.9.1
50
diff --git a/meta/recipes-extended/bash/bash_4.3.30.bb b/meta/recipes-extended/bash/bash_4.3.30.bb
index 765562fbdd..e398e87b60 100644
--- a/meta/recipes-extended/bash/bash_4.3.30.bb
+++ b/meta/recipes-extended/bash/bash_4.3.30.bb
@@ -30,6 +30,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
30 file://fix-run-builtins.patch \ 30 file://fix-run-builtins.patch \
31 file://0001-help-fix-printf-format-security-warning.patch \ 31 file://0001-help-fix-printf-format-security-warning.patch \
32 file://fix-run-intl.patch \ 32 file://fix-run-intl.patch \
33 file://CVE-2016-9401.patch \
33 " 34 "
34 35
35SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447" 36SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447"