diff options
author | Ross Burton <ross.burton@intel.com> | 2014-09-26 00:05:18 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-09-29 12:12:46 +0100 |
commit | 215e7b98ae4865b0f24b1cb9c53161fef170b270 (patch) | |
tree | f42d68da7db2af51636641f6552690b4a6d2df61 /meta/recipes-extended | |
parent | cf9fbf53b933d627bab71cc3f3dbb50a6bca3ec1 (diff) | |
download | poky-215e7b98ae4865b0f24b1cb9c53161fef170b270.tar.gz |
bash: fix CVE-2014-6271
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
(From OE-Core rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
-rw-r--r-- | meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch | 77 | ||||
-rw-r--r-- | meta/recipes-extended/bash/bash/cve-2014-6271.patch | 114 | ||||
-rw-r--r-- | meta/recipes-extended/bash/bash_3.2.48.bb | 1 | ||||
-rw-r--r-- | meta/recipes-extended/bash/bash_4.3.bb | 1 |
4 files changed, 193 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch new file mode 100644 index 0000000000..7226ffb665 --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | Fix CVE-2014-6271, aka ShellShock. | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
5 | |||
6 | *** ../bash-3.2.51/builtins/common.h 2006-03-06 09:38:44.000000000 -0500 | ||
7 | --- builtins/common.h 2014-09-16 19:08:02.000000000 -0400 | ||
8 | *************** | ||
9 | *** 34,37 **** | ||
10 | --- 34,39 ---- | ||
11 | |||
12 | /* Flags for describe_command, shared between type.def and command.def */ | ||
13 | + #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ | ||
14 | + #define SEVAL_ONECMD 0x100 /* only allow a single command */ | ||
15 | #define CDESC_ALL 0x001 /* type -a */ | ||
16 | #define CDESC_SHORTDESC 0x002 /* command -V */ | ||
17 | *** ../bash-3.2.51/builtins/evalstring.c 2008-11-15 17:47:04.000000000 -0500 | ||
18 | --- builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400 | ||
19 | *************** | ||
20 | *** 235,238 **** | ||
21 | --- 235,246 ---- | ||
22 | struct fd_bitmap *bitmap; | ||
23 | |||
24 | + if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) | ||
25 | + { | ||
26 | + internal_warning ("%s: ignoring function definition attempt", from_file); | ||
27 | + should_jump_to_top_level = 0; | ||
28 | + last_result = last_command_exit_value = EX_BADUSAGE; | ||
29 | + break; | ||
30 | + } | ||
31 | + | ||
32 | bitmap = new_fd_bitmap (FD_BITMAP_SIZE); | ||
33 | begin_unwind_frame ("pe_dispose"); | ||
34 | *************** | ||
35 | *** 292,295 **** | ||
36 | --- 300,306 ---- | ||
37 | dispose_fd_bitmap (bitmap); | ||
38 | discard_unwind_frame ("pe_dispose"); | ||
39 | + | ||
40 | + if (flags & SEVAL_ONECMD) | ||
41 | + break; | ||
42 | } | ||
43 | } | ||
44 | *** ../bash-3.2.51/variables.c 2008-11-15 17:15:06.000000000 -0500 | ||
45 | --- variables.c 2014-09-16 19:10:39.000000000 -0400 | ||
46 | *************** | ||
47 | *** 319,328 **** | ||
48 | strcpy (temp_string + char_index + 1, string); | ||
49 | |||
50 | ! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); | ||
51 | ! | ||
52 | ! /* Ancient backwards compatibility. Old versions of bash exported | ||
53 | ! functions like name()=() {...} */ | ||
54 | ! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') | ||
55 | ! name[char_index - 2] = '\0'; | ||
56 | |||
57 | if (temp_var = find_function (name)) | ||
58 | --- 319,326 ---- | ||
59 | strcpy (temp_string + char_index + 1, string); | ||
60 | |||
61 | ! /* Don't import function names that are invalid identifiers from the | ||
62 | ! environment. */ | ||
63 | ! if (legal_identifier (name)) | ||
64 | ! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); | ||
65 | |||
66 | if (temp_var = find_function (name)) | ||
67 | *************** | ||
68 | *** 333,340 **** | ||
69 | else | ||
70 | report_error (_("error importing function definition for `%s'"), name); | ||
71 | - | ||
72 | - /* ( */ | ||
73 | - if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') | ||
74 | - name[char_index - 2] = '('; /* ) */ | ||
75 | } | ||
76 | #if defined (ARRAY_VARS) | ||
77 | --- 331,334 ---- | ||
diff --git a/meta/recipes-extended/bash/bash/cve-2014-6271.patch b/meta/recipes-extended/bash/bash/cve-2014-6271.patch new file mode 100644 index 0000000000..d33a5c8f47 --- /dev/null +++ b/meta/recipes-extended/bash/bash/cve-2014-6271.patch | |||
@@ -0,0 +1,114 @@ | |||
1 | Fix CVE-2014-6271, aka ShellShock. This is the upstream 4.3 patchlevel 25, minus the hunk to | ||
2 | set the patch level. | ||
3 | |||
4 | Upstream-Status: Backport | ||
5 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
6 | |||
7 | BASH PATCH REPORT | ||
8 | ================= | ||
9 | |||
10 | Bash-Release: 4.3 | ||
11 | Patch-ID: bash43-025 | ||
12 | |||
13 | Bug-Reported-by: Stephane Chazelas <stephane.chazelas@gmail.com> | ||
14 | Bug-Reference-ID: | ||
15 | Bug-Reference-URL: | ||
16 | |||
17 | Bug-Description: | ||
18 | |||
19 | Under certain circumstances, bash will execute user code while processing the | ||
20 | environment for exported function definitions. | ||
21 | |||
22 | Patch (apply with `patch -p0'): | ||
23 | |||
24 | *** ../bash-4.3-patched/builtins/common.h 2013-07-08 16:54:47.000000000 -0400 | ||
25 | --- builtins/common.h 2014-09-12 14:25:47.000000000 -0400 | ||
26 | *************** | ||
27 | *** 34,37 **** | ||
28 | --- 49,54 ---- | ||
29 | #define SEVAL_PARSEONLY 0x020 | ||
30 | #define SEVAL_NOLONGJMP 0x040 | ||
31 | + #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ | ||
32 | + #define SEVAL_ONECMD 0x100 /* only allow a single command */ | ||
33 | |||
34 | /* Flags for describe_command, shared between type.def and command.def */ | ||
35 | *** ../bash-4.3-patched/builtins/evalstring.c 2014-02-11 09:42:10.000000000 -0500 | ||
36 | --- builtins/evalstring.c 2014-09-14 14:15:13.000000000 -0400 | ||
37 | *************** | ||
38 | *** 309,312 **** | ||
39 | --- 313,324 ---- | ||
40 | struct fd_bitmap *bitmap; | ||
41 | |||
42 | + if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) | ||
43 | + { | ||
44 | + internal_warning ("%s: ignoring function definition attempt", from_file); | ||
45 | + should_jump_to_top_level = 0; | ||
46 | + last_result = last_command_exit_value = EX_BADUSAGE; | ||
47 | + break; | ||
48 | + } | ||
49 | + | ||
50 | bitmap = new_fd_bitmap (FD_BITMAP_SIZE); | ||
51 | begin_unwind_frame ("pe_dispose"); | ||
52 | *************** | ||
53 | *** 369,372 **** | ||
54 | --- 381,387 ---- | ||
55 | dispose_fd_bitmap (bitmap); | ||
56 | discard_unwind_frame ("pe_dispose"); | ||
57 | + | ||
58 | + if (flags & SEVAL_ONECMD) | ||
59 | + break; | ||
60 | } | ||
61 | } | ||
62 | *** ../bash-4.3-patched/variables.c 2014-05-15 08:26:50.000000000 -0400 | ||
63 | --- variables.c 2014-09-14 14:23:35.000000000 -0400 | ||
64 | *************** | ||
65 | *** 359,369 **** | ||
66 | strcpy (temp_string + char_index + 1, string); | ||
67 | |||
68 | ! if (posixly_correct == 0 || legal_identifier (name)) | ||
69 | ! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); | ||
70 | ! | ||
71 | ! /* Ancient backwards compatibility. Old versions of bash exported | ||
72 | ! functions like name()=() {...} */ | ||
73 | ! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') | ||
74 | ! name[char_index - 2] = '\0'; | ||
75 | |||
76 | if (temp_var = find_function (name)) | ||
77 | --- 364,372 ---- | ||
78 | strcpy (temp_string + char_index + 1, string); | ||
79 | |||
80 | ! /* Don't import function names that are invalid identifiers from the | ||
81 | ! environment, though we still allow them to be defined as shell | ||
82 | ! variables. */ | ||
83 | ! if (legal_identifier (name)) | ||
84 | ! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); | ||
85 | |||
86 | if (temp_var = find_function (name)) | ||
87 | *************** | ||
88 | *** 382,389 **** | ||
89 | report_error (_("error importing function definition for `%s'"), name); | ||
90 | } | ||
91 | - | ||
92 | - /* ( */ | ||
93 | - if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') | ||
94 | - name[char_index - 2] = '('; /* ) */ | ||
95 | } | ||
96 | #if defined (ARRAY_VARS) | ||
97 | --- 385,388 ---- | ||
98 | *** ../bash-4.3-patched/subst.c 2014-08-11 11:16:35.000000000 -0400 | ||
99 | --- subst.c 2014-09-12 15:31:04.000000000 -0400 | ||
100 | *************** | ||
101 | *** 8048,8052 **** | ||
102 | goto return0; | ||
103 | } | ||
104 | ! else if (var = find_variable_last_nameref (temp1)) | ||
105 | { | ||
106 | temp = nameref_cell (var); | ||
107 | --- 8118,8124 ---- | ||
108 | goto return0; | ||
109 | } | ||
110 | ! else if (var && (invisible_p (var) || var_isset (var) == 0)) | ||
111 | ! temp = (char *)NULL; | ||
112 | ! else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0) | ||
113 | { | ||
114 | temp = nameref_cell (var); | ||
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb index fe04b28e7c..5849ed0169 100644 --- a/meta/recipes-extended/bash/bash_3.2.48.bb +++ b/meta/recipes-extended/bash/bash_3.2.48.bb | |||
@@ -12,6 +12,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \ | |||
12 | file://mkbuiltins_have_stringize.patch \ | 12 | file://mkbuiltins_have_stringize.patch \ |
13 | file://build-tests.patch \ | 13 | file://build-tests.patch \ |
14 | file://test-output.patch \ | 14 | file://test-output.patch \ |
15 | file://cve-2014-6271.patch;striplevel=0 \ | ||
15 | file://run-ptest \ | 16 | file://run-ptest \ |
16 | " | 17 | " |
17 | 18 | ||
diff --git a/meta/recipes-extended/bash/bash_4.3.bb b/meta/recipes-extended/bash/bash_4.3.bb index 25b7410c52..febaf338fa 100644 --- a/meta/recipes-extended/bash/bash_4.3.bb +++ b/meta/recipes-extended/bash/bash_4.3.bb | |||
@@ -9,6 +9,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \ | |||
9 | file://mkbuiltins_have_stringize.patch \ | 9 | file://mkbuiltins_have_stringize.patch \ |
10 | file://build-tests.patch \ | 10 | file://build-tests.patch \ |
11 | file://test-output.patch \ | 11 | file://test-output.patch \ |
12 | file://cve-2014-6271.patch;striplevel=0 \ | ||
12 | file://run-ptest \ | 13 | file://run-ptest \ |
13 | " | 14 | " |
14 | 15 | ||