diff options
author | Ross Burton <ross.burton@intel.com> | 2014-09-26 00:05:18 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-09-29 12:12:46 +0100 |
commit | 215e7b98ae4865b0f24b1cb9c53161fef170b270 (patch) | |
tree | f42d68da7db2af51636641f6552690b4a6d2df61 /meta/recipes-extended/bash/bash | |
parent | cf9fbf53b933d627bab71cc3f3dbb50a6bca3ec1 (diff) | |
download | poky-215e7b98ae4865b0f24b1cb9c53161fef170b270.tar.gz |
bash: fix CVE-2014-6271
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
(From OE-Core rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/bash/bash')
-rw-r--r-- | meta/recipes-extended/bash/bash/cve-2014-6271.patch | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash/cve-2014-6271.patch b/meta/recipes-extended/bash/bash/cve-2014-6271.patch new file mode 100644 index 0000000000..d33a5c8f47 --- /dev/null +++ b/meta/recipes-extended/bash/bash/cve-2014-6271.patch | |||
@@ -0,0 +1,114 @@ | |||
1 | Fix CVE-2014-6271, aka ShellShock. This is the upstream 4.3 patchlevel 25, minus the hunk to | ||
2 | set the patch level. | ||
3 | |||
4 | Upstream-Status: Backport | ||
5 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
6 | |||
7 | BASH PATCH REPORT | ||
8 | ================= | ||
9 | |||
10 | Bash-Release: 4.3 | ||
11 | Patch-ID: bash43-025 | ||
12 | |||
13 | Bug-Reported-by: Stephane Chazelas <stephane.chazelas@gmail.com> | ||
14 | Bug-Reference-ID: | ||
15 | Bug-Reference-URL: | ||
16 | |||
17 | Bug-Description: | ||
18 | |||
19 | Under certain circumstances, bash will execute user code while processing the | ||
20 | environment for exported function definitions. | ||
21 | |||
22 | Patch (apply with `patch -p0'): | ||
23 | |||
24 | *** ../bash-4.3-patched/builtins/common.h 2013-07-08 16:54:47.000000000 -0400 | ||
25 | --- builtins/common.h 2014-09-12 14:25:47.000000000 -0400 | ||
26 | *************** | ||
27 | *** 34,37 **** | ||
28 | --- 49,54 ---- | ||
29 | #define SEVAL_PARSEONLY 0x020 | ||
30 | #define SEVAL_NOLONGJMP 0x040 | ||
31 | + #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ | ||
32 | + #define SEVAL_ONECMD 0x100 /* only allow a single command */ | ||
33 | |||
34 | /* Flags for describe_command, shared between type.def and command.def */ | ||
35 | *** ../bash-4.3-patched/builtins/evalstring.c 2014-02-11 09:42:10.000000000 -0500 | ||
36 | --- builtins/evalstring.c 2014-09-14 14:15:13.000000000 -0400 | ||
37 | *************** | ||
38 | *** 309,312 **** | ||
39 | --- 313,324 ---- | ||
40 | struct fd_bitmap *bitmap; | ||
41 | |||
42 | + if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) | ||
43 | + { | ||
44 | + internal_warning ("%s: ignoring function definition attempt", from_file); | ||
45 | + should_jump_to_top_level = 0; | ||
46 | + last_result = last_command_exit_value = EX_BADUSAGE; | ||
47 | + break; | ||
48 | + } | ||
49 | + | ||
50 | bitmap = new_fd_bitmap (FD_BITMAP_SIZE); | ||
51 | begin_unwind_frame ("pe_dispose"); | ||
52 | *************** | ||
53 | *** 369,372 **** | ||
54 | --- 381,387 ---- | ||
55 | dispose_fd_bitmap (bitmap); | ||
56 | discard_unwind_frame ("pe_dispose"); | ||
57 | + | ||
58 | + if (flags & SEVAL_ONECMD) | ||
59 | + break; | ||
60 | } | ||
61 | } | ||
62 | *** ../bash-4.3-patched/variables.c 2014-05-15 08:26:50.000000000 -0400 | ||
63 | --- variables.c 2014-09-14 14:23:35.000000000 -0400 | ||
64 | *************** | ||
65 | *** 359,369 **** | ||
66 | strcpy (temp_string + char_index + 1, string); | ||
67 | |||
68 | ! if (posixly_correct == 0 || legal_identifier (name)) | ||
69 | ! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); | ||
70 | ! | ||
71 | ! /* Ancient backwards compatibility. Old versions of bash exported | ||
72 | ! functions like name()=() {...} */ | ||
73 | ! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') | ||
74 | ! name[char_index - 2] = '\0'; | ||
75 | |||
76 | if (temp_var = find_function (name)) | ||
77 | --- 364,372 ---- | ||
78 | strcpy (temp_string + char_index + 1, string); | ||
79 | |||
80 | ! /* Don't import function names that are invalid identifiers from the | ||
81 | ! environment, though we still allow them to be defined as shell | ||
82 | ! variables. */ | ||
83 | ! if (legal_identifier (name)) | ||
84 | ! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); | ||
85 | |||
86 | if (temp_var = find_function (name)) | ||
87 | *************** | ||
88 | *** 382,389 **** | ||
89 | report_error (_("error importing function definition for `%s'"), name); | ||
90 | } | ||
91 | - | ||
92 | - /* ( */ | ||
93 | - if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') | ||
94 | - name[char_index - 2] = '('; /* ) */ | ||
95 | } | ||
96 | #if defined (ARRAY_VARS) | ||
97 | --- 385,388 ---- | ||
98 | *** ../bash-4.3-patched/subst.c 2014-08-11 11:16:35.000000000 -0400 | ||
99 | --- subst.c 2014-09-12 15:31:04.000000000 -0400 | ||
100 | *************** | ||
101 | *** 8048,8052 **** | ||
102 | goto return0; | ||
103 | } | ||
104 | ! else if (var = find_variable_last_nameref (temp1)) | ||
105 | { | ||
106 | temp = nameref_cell (var); | ||
107 | --- 8118,8124 ---- | ||
108 | goto return0; | ||
109 | } | ||
110 | ! else if (var && (invisible_p (var) || var_isset (var) == 0)) | ||
111 | ! temp = (char *)NULL; | ||
112 | ! else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0) | ||
113 | { | ||
114 | temp = nameref_cell (var); | ||