diff options
author | Catalin Popeanga <Catalin.Popeanga@enea.com> | 2014-10-09 14:24:53 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-10-13 11:18:39 +0100 |
commit | b03f4da5489608f06630c61060a1280a303c0d84 (patch) | |
tree | 953e0adb042544e2ee1b8ed8bf8e5ea8cd0f00c5 /meta/recipes-extended | |
parent | db7891c164f8522358a850014754eb6a0bd64c2d (diff) | |
download | poky-b03f4da5489608f06630c61060a1280a303c0d84.tar.gz |
bash: Fix for CVE-2014-6277
Follow up bash42-049 to parse properly function definitions in the
values of environment variables, to not allow remote attackers to
execute arbitrary code or to cause a denial of service.
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
(From OE-Core daisy rev: 85961bcf81650992259cebb0ef1f1c6cdef3fefa)
(From OE-Core rev: 5a802295d1f40af6f21dd3ed7e4549fe033f03a0)
Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
-rw-r--r-- | meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch | 44 | ||||
-rw-r--r-- | meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch | 44 | ||||
-rw-r--r-- | meta/recipes-extended/bash/bash_3.2.48.bb | 1 | ||||
-rw-r--r-- | meta/recipes-extended/bash/bash_4.2.bb | 1 |
4 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch new file mode 100644 index 0000000000..ed63916669 --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | bash: Fix CVE-2014-6277 (shellshock) | ||
2 | |||
3 | Upstream-status: backport | ||
4 | |||
5 | Downloaded from: | ||
6 | ftp://ftp.gnu.org/pub/bash/bash-3.2-patches/bash32-056 | ||
7 | |||
8 | Author: Chet Ramey <chet.ramey@case.edu> | ||
9 | Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com> | ||
10 | |||
11 | BASH PATCH REPORT | ||
12 | ================= | ||
13 | |||
14 | Bash-Release: 3.2 | ||
15 | Patch-ID: bash32-056 | ||
16 | |||
17 | Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx> | ||
18 | Bug-Reference-ID: | ||
19 | Bug-Reference-URL: | ||
20 | |||
21 | Bug-Description: | ||
22 | |||
23 | When bash is parsing a function definition that contains a here-document | ||
24 | delimited by end-of-file (or end-of-string), it leaves the closing delimiter | ||
25 | uninitialized. This can result in an invalid memory access when the parsed | ||
26 | function is later copied. | ||
27 | --- | ||
28 | --- a/make_cmd.c 2006-09-12 09:21:22.000000000 -0400 | ||
29 | +++ b/make_cmd.c 2014-10-02 11:41:40.000000000 -0400 | ||
30 | @@ -677,4 +677,5 @@ | ||
31 | temp->redirector = source; | ||
32 | temp->redirectee = dest_and_filename; | ||
33 | + temp->here_doc_eof = 0; | ||
34 | temp->instruction = instruction; | ||
35 | temp->flags = 0; | ||
36 | --- a/copy_cmd.c 2003-10-07 11:43:44.000000000 -0400 | ||
37 | +++ b/copy_cmd.c 2014-10-02 11:41:40.000000000 -0400 | ||
38 | @@ -117,5 +117,5 @@ | ||
39 | case r_reading_until: | ||
40 | case r_deblank_reading_until: | ||
41 | - new_redirect->here_doc_eof = savestring (redirect->here_doc_eof); | ||
42 | + new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0; | ||
43 | /*FALLTHROUGH*/ | ||
44 | case r_reading_string: | ||
diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch new file mode 100644 index 0000000000..83b40027cf --- /dev/null +++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | bash: Fix CVE-2014-6277 (shellshock) | ||
2 | |||
3 | Upstream-status: backport | ||
4 | |||
5 | Downloaded from: | ||
6 | ftp://ftp.gnu.org/pub/bash/bash-4.3-patches/bash43-029 | ||
7 | |||
8 | Author: Chet Ramey <chet.ramey@case.edu> | ||
9 | Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com> | ||
10 | |||
11 | BASH PATCH REPORT | ||
12 | ================= | ||
13 | |||
14 | Bash-Release: 4.3 | ||
15 | Patch-ID: bash43-029 | ||
16 | |||
17 | Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx> | ||
18 | Bug-Reference-ID: | ||
19 | Bug-Reference-URL: | ||
20 | |||
21 | Bug-Description: | ||
22 | |||
23 | When bash is parsing a function definition that contains a here-document | ||
24 | delimited by end-of-file (or end-of-string), it leaves the closing delimiter | ||
25 | uninitialized. This can result in an invalid memory access when the parsed | ||
26 | function is later copied. | ||
27 | --- | ||
28 | --- a/make_cmd.c 2011-12-16 08:08:01.000000000 -0500 | ||
29 | +++ b/make_cmd.c 2014-10-02 11:24:23.000000000 -0400 | ||
30 | @@ -693,4 +693,5 @@ | ||
31 | temp->redirector = source; | ||
32 | temp->redirectee = dest_and_filename; | ||
33 | + temp->here_doc_eof = 0; | ||
34 | temp->instruction = instruction; | ||
35 | temp->flags = 0; | ||
36 | --- a/copy_cmd.c 2009-09-11 16:28:02.000000000 -0400 | ||
37 | +++ b/copy_cmd.c 2014-10-02 11:24:23.000000000 -0400 | ||
38 | @@ -127,5 +127,5 @@ | ||
39 | case r_reading_until: | ||
40 | case r_deblank_reading_until: | ||
41 | - new_redirect->here_doc_eof = savestring (redirect->here_doc_eof); | ||
42 | + new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0; | ||
43 | /*FALLTHROUGH*/ | ||
44 | case r_reading_string: | ||
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb index 2b26ae75c2..4bd97e7116 100644 --- a/meta/recipes-extended/bash/bash_3.2.48.bb +++ b/meta/recipes-extended/bash/bash_3.2.48.bb | |||
@@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \ | |||
16 | file://cve-2014-7169.patch \ | 16 | file://cve-2014-7169.patch \ |
17 | file://Fix-for-bash-exported-function-namespace-change.patch \ | 17 | file://Fix-for-bash-exported-function-namespace-change.patch \ |
18 | file://cve-2014-7186_cve-2014-7187.patch \ | 18 | file://cve-2014-7186_cve-2014-7187.patch \ |
19 | file://cve-2014-6277.patch \ | ||
19 | file://run-ptest \ | 20 | file://run-ptest \ |
20 | " | 21 | " |
21 | 22 | ||
diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb index ae63ad3745..35af8128c3 100644 --- a/meta/recipes-extended/bash/bash_4.2.bb +++ b/meta/recipes-extended/bash/bash_4.2.bb | |||
@@ -25,6 +25,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \ | |||
25 | file://cve-2014-7169.patch \ | 25 | file://cve-2014-7169.patch \ |
26 | file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \ | 26 | file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \ |
27 | file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \ | 27 | file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \ |
28 | file://cve-2014-6277.patch \ | ||
28 | file://run-ptest \ | 29 | file://run-ptest \ |
29 | " | 30 | " |
30 | 31 | ||