diff options
| author | Ross Burton <ross.burton@intel.com> | 2014-10-02 11:31:54 +0100 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-10-16 16:05:55 +0200 |
| commit | c78877b07e137f467e7feb18e15fa06400f30881 (patch) | |
| tree | b2fe17d290ef94f4cbcd354e8680ac52c3b88277 /meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch | |
| parent | 02037d7daa1a24aecccc527a1ee6e78e1ed7c9dd (diff) | |
| download | poky-c78877b07e137f467e7feb18e15fa06400f30881.tar.gz | |
bash: fix CVE-2014-6271
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
(From OE-Core master rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)
(From OE-Core rev: d57b9ce8bb97f88c329da973c3567d04d8eb07d2)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch')
| -rw-r--r-- | meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch new file mode 100644 index 0000000000..20530adf6c --- /dev/null +++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch | |||
| @@ -0,0 +1,95 @@ | |||
| 1 | Fix CVE-2014-6271, aka ShellShock. This is the upstream 4.2 patchlevel 48, minus the hunk to | ||
| 2 | set the patch level. | ||
| 3 | |||
| 4 | Upstream-Status: Backport | ||
| 5 | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> | ||
| 6 | |||
| 7 | BASH PATCH REPORT | ||
| 8 | ================= | ||
| 9 | |||
| 10 | Bash-Release: 4.2 | ||
| 11 | Patch-ID: bash42-048 | ||
| 12 | |||
| 13 | Bug-Reported-by: Stephane Chazelas <stephane.chazelas@gmail.com> | ||
| 14 | Bug-Reference-ID: | ||
| 15 | Bug-Reference-URL: | ||
| 16 | |||
| 17 | Bug-Description: | ||
| 18 | |||
| 19 | Under certain circumstances, bash will execute user code while processing the | ||
| 20 | environment for exported function definitions. | ||
| 21 | |||
| 22 | Patch (apply with `patch -p0'): | ||
| 23 | |||
| 24 | *** ../bash-4.2.47/builtins/common.h 2010-05-30 18:31:51.000000000 -0400 | ||
| 25 | --- builtins/common.h 2014-09-16 19:35:45.000000000 -0400 | ||
| 26 | *************** | ||
| 27 | *** 36,39 **** | ||
| 28 | --- 36,41 ---- | ||
| 29 | |||
| 30 | /* Flags for describe_command, shared between type.def and command.def */ | ||
| 31 | + #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ | ||
| 32 | + #define SEVAL_ONECMD 0x100 /* only allow a single command */ | ||
| 33 | #define CDESC_ALL 0x001 /* type -a */ | ||
| 34 | #define CDESC_SHORTDESC 0x002 /* command -V */ | ||
| 35 | *** ../bash-4.2.47/builtins/evalstring.c 2010-11-23 08:22:15.000000000 -0500 | ||
| 36 | --- builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400 | ||
| 37 | *************** | ||
| 38 | *** 262,265 **** | ||
| 39 | --- 262,273 ---- | ||
| 40 | struct fd_bitmap *bitmap; | ||
| 41 | |||
| 42 | + if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) | ||
| 43 | + { | ||
| 44 | + internal_warning ("%s: ignoring function definition attempt", from_file); | ||
| 45 | + should_jump_to_top_level = 0; | ||
| 46 | + last_result = last_command_exit_value = EX_BADUSAGE; | ||
| 47 | + break; | ||
| 48 | + } | ||
| 49 | + | ||
| 50 | bitmap = new_fd_bitmap (FD_BITMAP_SIZE); | ||
| 51 | begin_unwind_frame ("pe_dispose"); | ||
| 52 | *************** | ||
| 53 | *** 322,325 **** | ||
| 54 | --- 330,336 ---- | ||
| 55 | dispose_fd_bitmap (bitmap); | ||
| 56 | discard_unwind_frame ("pe_dispose"); | ||
| 57 | + | ||
| 58 | + if (flags & SEVAL_ONECMD) | ||
| 59 | + break; | ||
| 60 | } | ||
| 61 | } | ||
| 62 | *** ../bash-4.2.47/variables.c 2011-03-01 16:15:20.000000000 -0500 | ||
| 63 | --- variables.c 2014-09-16 19:35:45.000000000 -0400 | ||
| 64 | *************** | ||
| 65 | *** 348,357 **** | ||
| 66 | strcpy (temp_string + char_index + 1, string); | ||
| 67 | |||
| 68 | ! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); | ||
| 69 | ! | ||
| 70 | ! /* Ancient backwards compatibility. Old versions of bash exported | ||
| 71 | ! functions like name()=() {...} */ | ||
| 72 | ! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') | ||
| 73 | ! name[char_index - 2] = '\0'; | ||
| 74 | |||
| 75 | if (temp_var = find_function (name)) | ||
| 76 | --- 348,355 ---- | ||
| 77 | strcpy (temp_string + char_index + 1, string); | ||
| 78 | |||
| 79 | ! /* Don't import function names that are invalid identifiers from the | ||
| 80 | ! environment. */ | ||
| 81 | ! if (legal_identifier (name)) | ||
| 82 | ! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); | ||
| 83 | |||
| 84 | if (temp_var = find_function (name)) | ||
| 85 | *************** | ||
| 86 | *** 362,369 **** | ||
| 87 | else | ||
| 88 | report_error (_("error importing function definition for `%s'"), name); | ||
| 89 | - | ||
| 90 | - /* ( */ | ||
| 91 | - if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') | ||
| 92 | - name[char_index - 2] = '('; /* ) */ | ||
| 93 | } | ||
| 94 | #if defined (ARRAY_VARS) | ||
| 95 | --- 360,363 ---- | ||