bash: fix CVE-2014-6271

CVE-2014-6271 aka ShellShock. "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment." (From OE-Core rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2014-09-26 00:05:18 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-09-29 12:12:46 +0100
commit: 215e7b98ae4865b0f24b1cb9c53161fef170b270 (patch)
tree: f42d68da7db2af51636641f6552690b4a6d2df61 /meta/recipes-extended/bash/bash
parent: cf9fbf53b933d627bab71cc3f3dbb50a6bca3ec1 (diff)
download: poky-215e7b98ae4865b0f24b1cb9c53161fef170b270.tar.gz
1 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash/cve-2014-6271.patch b/meta/recipes-extended/bash/bash/cve-2014-6271.patch
new file mode 100644
index 0000000000..d33a5c8f47
--- /dev/null
+++ b/meta/recipes-extended/bash/bash/cve-2014-6271.patch
@@ -0,0 +1,114 @@
+Fix CVE-2014-6271, aka ShellShock.  This is the upstream 4.3 patchlevel 25, minus the hunk to
+set the patch level.
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+                             BASH PATCH REPORT
+                             =================
+Bash-Release:   4.3
+Patch-ID:       bash43-025
+Bug-Reported-by:        Stephane Chazelas <stephane.chazelas@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+Bug-Description:
+Under certain circumstances, bash will execute user code while processing the
+environment for exported function definitions.
+Patch (apply with `patch -p0'):
+*** ../bash-4.3-patched/builtins/common.h       2013-07-08 16:54:47.000000000 -0400
+--- builtins/common.h   2014-09-12 14:25:47.000000000 -0400
+***************
+*** 34,37 ****
+--- 49,54 ----
+  #define SEVAL_PARSEONLY       0x020
+  #define SEVAL_NOLONGJMP 0x040
+ #define SEVAL_FUNCDEF 0x080           /* only allow function definitions */
+ #define SEVAL_ONECMD  0x100           /* only allow a single command */
+  
+  /* Flags for describe_command, shared between type.def and command.def */
+*** ../bash-4.3-patched/builtins/evalstring.c   2014-02-11 09:42:10.000000000 -0500
+--- builtins/evalstring.c       2014-09-14 14:15:13.000000000 -0400
+***************
+*** 309,312 ****
+--- 313,324 ----
+              struct fd_bitmap *bitmap;
+  
+             if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+               {
+                 internal_warning ("%s: ignoring function definition attempt", from_file);
+                 should_jump_to_top_level = 0;
+                 last_result = last_command_exit_value = EX_BADUSAGE;
+                 break;
+               }
+ 
+              bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+              begin_unwind_frame ("pe_dispose");
+***************
+*** 369,372 ****
+--- 381,387 ----
+              dispose_fd_bitmap (bitmap);
+              discard_unwind_frame ("pe_dispose");
+ 
+             if (flags & SEVAL_ONECMD)
+               break;
+            }
+        }
+*** ../bash-4.3-patched/variables.c     2014-05-15 08:26:50.000000000 -0400
+--- variables.c 2014-09-14 14:23:35.000000000 -0400
+***************
+*** 359,369 ****
+          strcpy (temp_string + char_index + 1, string);
+  
+!         if (posixly_correct == 0 || legal_identifier (name))
+!           parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+! 
+!         /* Ancient backwards compatibility.  Old versions of bash exported
+!            functions like name()=() {...} */
+!         if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+!           name[char_index - 2] = '\0';
+  
+          if (temp_var = find_function (name))
+--- 364,372 ----
+          strcpy (temp_string + char_index + 1, string);
+  
+!         /* Don't import function names that are invalid identifiers from the
+!            environment, though we still allow them to be defined as shell
+!            variables. */
+!         if (legal_identifier (name))
+!           parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+  
+          if (temp_var = find_function (name))
+***************
+*** 382,389 ****
+              report_error (_("error importing function definition for `%s'"), name);
+            }
+- 
+-         /* ( */
+-         if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+-           name[char_index - 2] = '(';         /* ) */
+        }
+  #if defined (ARRAY_VARS)
+--- 385,388 ----
+*** ../bash-4.3-patched/subst.c 2014-08-11 11:16:35.000000000 -0400
+--- subst.c     2014-09-12 15:31:04.000000000 -0400
+***************
+*** 8048,8052 ****
+          goto return0;
+        }
+!       else if (var = find_variable_last_nameref (temp1))
+        {
+          temp = nameref_cell (var);
+--- 8118,8124 ----
+          goto return0;
+        }
+!       else if (var && (invisible_p (var) || var_isset (var) == 0))
+!       temp = (char *)NULL;
+!       else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
+        {
+          temp = nameref_cell (var);
author	Ross Burton <ross.burton@intel.com>	2014-09-26 00:05:18 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-09-29 12:12:46 +0100
commit	215e7b98ae4865b0f24b1cb9c53161fef170b270 (patch)
tree	f42d68da7db2af51636641f6552690b4a6d2df61 /meta/recipes-extended/bash/bash
parent	cf9fbf53b933d627bab71cc3f3dbb50a6bca3ec1 (diff)
download	poky-215e7b98ae4865b0f24b1cb9c53161fef170b270.tar.gz

diff --git a/meta/recipes-extended/bash/bash/cve-2014-6271.patch b/meta/recipes-extended/bash/bash/cve-2014-6271.patch new file mode 100644 index 0000000000..d33a5c8f47 --- /dev/null +++ b/meta/recipes-extended/bash/bash/cve-2014-6271.patch
@@ -0,0 +1,114 @@
	1	Fix CVE-2014-6271, aka ShellShock. This is the upstream 4.3 patchlevel 25, minus the hunk to
	2	set the patch level.
	3
	4	Upstream-Status: Backport
	5	Signed-off-by: Ross Burton <ross.burton@intel.com>
	6
	7	BASH PATCH REPORT
	8	=================
	9
	10	Bash-Release: 4.3
	11	Patch-ID: bash43-025
	12
	13	Bug-Reported-by: Stephane Chazelas <stephane.chazelas@gmail.com>
	14	Bug-Reference-ID:
	15	Bug-Reference-URL:
	16
	17	Bug-Description:
	18
	19	Under certain circumstances, bash will execute user code while processing the
	20	environment for exported function definitions.
	21
	22	Patch (apply with `patch -p0'):
	23
	24	*** ../bash-4.3-patched/builtins/common.h 2013-07-08 16:54:47.000000000 -0400
	25	--- builtins/common.h 2014-09-12 14:25:47.000000000 -0400
	26	***************
	27	* 34,37 **
	28	--- 49,54 ----
	29	#define SEVAL_PARSEONLY 0x020
	30	#define SEVAL_NOLONGJMP 0x040
	31	+ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
	32	+ #define SEVAL_ONECMD 0x100 /* only allow a single command */
	33
	34	/* Flags for describe_command, shared between type.def and command.def */
	35	*** ../bash-4.3-patched/builtins/evalstring.c 2014-02-11 09:42:10.000000000 -0500
	36	--- builtins/evalstring.c 2014-09-14 14:15:13.000000000 -0400
	37	***************
	38	* 309,312 **
	39	--- 313,324 ----
	40	struct fd_bitmap *bitmap;
	41
	42	+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
	43	+ {
	44	+ internal_warning ("%s: ignoring function definition attempt", from_file);
	45	+ should_jump_to_top_level = 0;
	46	+ last_result = last_command_exit_value = EX_BADUSAGE;
	47	+ break;
	48	+ }
	49	+
	50	bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
	51	begin_unwind_frame ("pe_dispose");
	52	***************
	53	* 369,372 **
	54	--- 381,387 ----
	55	dispose_fd_bitmap (bitmap);
	56	discard_unwind_frame ("pe_dispose");
	57	+
	58	+ if (flags & SEVAL_ONECMD)
	59	+ break;
	60	}
	61	}
	62	*** ../bash-4.3-patched/variables.c 2014-05-15 08:26:50.000000000 -0400
	63	--- variables.c 2014-09-14 14:23:35.000000000 -0400
	64	***************
	65	* 359,369 **
	66	strcpy (temp_string + char_index + 1, string);
	67
	68	! if (posixly_correct == 0 \|\| legal_identifier (name))
	69	! parse_and_execute (temp_string, name, SEVAL_NONINT\|SEVAL_NOHIST);
	70	!
	71	! /* Ancient backwards compatibility. Old versions of bash exported
	72	! functions like name()=() {...} */
	73	! if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
	74	! name[char_index - 2] = '\0';
	75
	76	if (temp_var = find_function (name))
	77	--- 364,372 ----
	78	strcpy (temp_string + char_index + 1, string);
	79
	80	! /* Don't import function names that are invalid identifiers from the
	81	! environment, though we still allow them to be defined as shell
	82	! variables. */
	83	! if (legal_identifier (name))
	84	! parse_and_execute (temp_string, name, SEVAL_NONINT\|SEVAL_NOHIST\|SEVAL_FUNCDEF\|SEVAL_ONECMD);
	85
	86	if (temp_var = find_function (name))
	87	***************
	88	* 382,389 **
	89	report_error (_("error importing function definition for `%s'"), name);
	90	}
	91	-
	92	- /* ( */
	93	- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
	94	- name[char_index - 2] = '('; /* ) */
	95	}
	96	#if defined (ARRAY_VARS)
	97	--- 385,388 ----
	98	*** ../bash-4.3-patched/subst.c 2014-08-11 11:16:35.000000000 -0400
	99	--- subst.c 2014-09-12 15:31:04.000000000 -0400
	100	***************
	101	* 8048,8052 **
	102	goto return0;
	103	}
	104	! else if (var = find_variable_last_nameref (temp1))
	105	{
	106	temp = nameref_cell (var);
	107	--- 8118,8124 ----
	108	goto return0;
	109	}
	110	! else if (var && (invisible_p (var) \|\| var_isset (var) == 0))
	111	! temp = (char *)NULL;
	112	! else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
	113	{
	114	temp = nameref_cell (var);