diff options
author | Catalin Popeanga <Catalin.Popeanga@enea.com> | 2014-10-09 14:24:29 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-10-10 18:06:08 +0100 |
commit | 1d21eaf4e0b4161aac45e30c20f69e603dadcf48 (patch) | |
tree | 9144bf72561df92838f467e7ee6aa3d425e3fd5c /meta/recipes-extended/bash/bash-3.2.48 | |
parent | 95821e8566147841e726678b76a5397b971a6e57 (diff) | |
download | poky-1d21eaf4e0b4161aac45e30c20f69e603dadcf48.tar.gz |
bash: Fix for CVE-2014-7186 and CVE-2014-7187
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
(From OE-Core rev: 153d1125659df9e5c09e35a58bd51be184cb13c1)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/bash/bash-3.2.48')
-rw-r--r-- | meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch new file mode 100644 index 0000000000..dcb8ea44c5 --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch | |||
@@ -0,0 +1,99 @@ | |||
1 | bash: Fix for CVE-2014-7186 and CVE-2014-7187 | ||
2 | |||
3 | Upstream-Status: Backport {GNU Patch-ID: bash32-055} | ||
4 | |||
5 | Downloaded from: http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-055 | ||
6 | |||
7 | Author: Chet Ramey <chet.ramey@case.edu> | ||
8 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
9 | |||
10 | BASH PATCH REPORT | ||
11 | ================= | ||
12 | |||
13 | Bash-Release: 3.2 | ||
14 | Patch-ID: bash32-055 | ||
15 | |||
16 | Bug-Reported-by: Florian Weimer <fweimer@redhat.com> | ||
17 | Bug-Reference-ID: | ||
18 | Bug-Reference-URL: | ||
19 | |||
20 | Bug-Description: | ||
21 | |||
22 | There are two local buffer overflows in parse.y that can cause the shell | ||
23 | to dump core when given many here-documents attached to a single command | ||
24 | or many nested loops. | ||
25 | --- | ||
26 | --- a/parse.y 2014-09-27 12:17:16.000000000 -0400 | ||
27 | +++ b/parse.y 2014-09-30 19:43:22.000000000 -0400 | ||
28 | @@ -166,4 +166,7 @@ | ||
29 | static int reserved_word_acceptable __P((int)); | ||
30 | static int yylex __P((void)); | ||
31 | + | ||
32 | +static void push_heredoc __P((REDIRECT *)); | ||
33 | +static char *mk_alexpansion __P((char *)); | ||
34 | static int alias_expand_token __P((char *)); | ||
35 | static int time_command_acceptable __P((void)); | ||
36 | @@ -254,5 +257,7 @@ | ||
37 | /* Variables to manage the task of reading here documents, because we need to | ||
38 | defer the reading until after a complete command has been collected. */ | ||
39 | -static REDIRECT *redir_stack[10]; | ||
40 | +#define HEREDOC_MAX 16 | ||
41 | + | ||
42 | +static REDIRECT *redir_stack[HEREDOC_MAX]; | ||
43 | int need_here_doc; | ||
44 | |||
45 | @@ -280,5 +285,5 @@ | ||
46 | index is decremented after a case, select, or for command is parsed. */ | ||
47 | #define MAX_CASE_NEST 128 | ||
48 | -static int word_lineno[MAX_CASE_NEST]; | ||
49 | +static int word_lineno[MAX_CASE_NEST+1]; | ||
50 | static int word_top = -1; | ||
51 | |||
52 | @@ -425,5 +430,5 @@ | ||
53 | redir.filename = $2; | ||
54 | $$ = make_redirection (0, r_reading_until, redir); | ||
55 | - redir_stack[need_here_doc++] = $$; | ||
56 | + push_heredoc ($$); | ||
57 | } | ||
58 | | NUMBER LESS_LESS WORD | ||
59 | @@ -431,5 +436,5 @@ | ||
60 | redir.filename = $3; | ||
61 | $$ = make_redirection ($1, r_reading_until, redir); | ||
62 | - redir_stack[need_here_doc++] = $$; | ||
63 | + push_heredoc ($$); | ||
64 | } | ||
65 | | LESS_LESS_LESS WORD | ||
66 | @@ -488,5 +493,5 @@ | ||
67 | $$ = make_redirection | ||
68 | (0, r_deblank_reading_until, redir); | ||
69 | - redir_stack[need_here_doc++] = $$; | ||
70 | + push_heredoc ($$); | ||
71 | } | ||
72 | | NUMBER LESS_LESS_MINUS WORD | ||
73 | @@ -495,5 +500,5 @@ | ||
74 | $$ = make_redirection | ||
75 | ($1, r_deblank_reading_until, redir); | ||
76 | - redir_stack[need_here_doc++] = $$; | ||
77 | + push_heredoc ($$); | ||
78 | } | ||
79 | | GREATER_AND '-' | ||
80 | @@ -2214,4 +2219,19 @@ | ||
81 | static int esacs_needed_count; | ||
82 | |||
83 | +static void | ||
84 | +push_heredoc (r) | ||
85 | + REDIRECT *r; | ||
86 | +{ | ||
87 | + if (need_here_doc >= HEREDOC_MAX) | ||
88 | + { | ||
89 | + last_command_exit_value = EX_BADUSAGE; | ||
90 | + need_here_doc = 0; | ||
91 | + report_syntax_error (_("maximum here-document count exceeded")); | ||
92 | + reset_parser (); | ||
93 | + exit_shell (last_command_exit_value); | ||
94 | + } | ||
95 | + redir_stack[need_here_doc++] = r; | ||
96 | +} | ||
97 | + | ||
98 | void | ||
99 | gather_here_documents () | ||