summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2014-09-26 00:05:18 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-09-29 12:12:46 +0100
commit215e7b98ae4865b0f24b1cb9c53161fef170b270 (patch)
treef42d68da7db2af51636641f6552690b4a6d2df61 /meta/recipes-extended
parentcf9fbf53b933d627bab71cc3f3dbb50a6bca3ec1 (diff)
downloadpoky-215e7b98ae4865b0f24b1cb9c53161fef170b270.tar.gz
bash: fix CVE-2014-6271
CVE-2014-6271 aka ShellShock. "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment." (From OE-Core rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
-rw-r--r--meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch77
-rw-r--r--meta/recipes-extended/bash/bash/cve-2014-6271.patch114
-rw-r--r--meta/recipes-extended/bash/bash_3.2.48.bb1
-rw-r--r--meta/recipes-extended/bash/bash_4.3.bb1
4 files changed, 193 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch
new file mode 100644
index 0000000000..7226ffb665
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch
@@ -0,0 +1,77 @@
1Fix CVE-2014-6271, aka ShellShock.
2
3Upstream-Status: Backport
4Signed-off-by: Ross Burton <ross.burton@intel.com>
5
6*** ../bash-3.2.51/builtins/common.h 2006-03-06 09:38:44.000000000 -0500
7--- builtins/common.h 2014-09-16 19:08:02.000000000 -0400
8***************
9*** 34,37 ****
10--- 34,39 ----
11
12 /* Flags for describe_command, shared between type.def and command.def */
13+ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
14+ #define SEVAL_ONECMD 0x100 /* only allow a single command */
15 #define CDESC_ALL 0x001 /* type -a */
16 #define CDESC_SHORTDESC 0x002 /* command -V */
17*** ../bash-3.2.51/builtins/evalstring.c 2008-11-15 17:47:04.000000000 -0500
18--- builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400
19***************
20*** 235,238 ****
21--- 235,246 ----
22 struct fd_bitmap *bitmap;
23
24+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
25+ {
26+ internal_warning ("%s: ignoring function definition attempt", from_file);
27+ should_jump_to_top_level = 0;
28+ last_result = last_command_exit_value = EX_BADUSAGE;
29+ break;
30+ }
31+
32 bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
33 begin_unwind_frame ("pe_dispose");
34***************
35*** 292,295 ****
36--- 300,306 ----
37 dispose_fd_bitmap (bitmap);
38 discard_unwind_frame ("pe_dispose");
39+
40+ if (flags & SEVAL_ONECMD)
41+ break;
42 }
43 }
44*** ../bash-3.2.51/variables.c 2008-11-15 17:15:06.000000000 -0500
45--- variables.c 2014-09-16 19:10:39.000000000 -0400
46***************
47*** 319,328 ****
48 strcpy (temp_string + char_index + 1, string);
49
50! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
51!
52! /* Ancient backwards compatibility. Old versions of bash exported
53! functions like name()=() {...} */
54! if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
55! name[char_index - 2] = '\0';
56
57 if (temp_var = find_function (name))
58--- 319,326 ----
59 strcpy (temp_string + char_index + 1, string);
60
61! /* Don't import function names that are invalid identifiers from the
62! environment. */
63! if (legal_identifier (name))
64! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
65
66 if (temp_var = find_function (name))
67***************
68*** 333,340 ****
69 else
70 report_error (_("error importing function definition for `%s'"), name);
71-
72- /* ( */
73- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
74- name[char_index - 2] = '('; /* ) */
75 }
76 #if defined (ARRAY_VARS)
77--- 331,334 ----
diff --git a/meta/recipes-extended/bash/bash/cve-2014-6271.patch b/meta/recipes-extended/bash/bash/cve-2014-6271.patch
new file mode 100644
index 0000000000..d33a5c8f47
--- /dev/null
+++ b/meta/recipes-extended/bash/bash/cve-2014-6271.patch
@@ -0,0 +1,114 @@
1Fix CVE-2014-6271, aka ShellShock. This is the upstream 4.3 patchlevel 25, minus the hunk to
2set the patch level.
3
4Upstream-Status: Backport
5Signed-off-by: Ross Burton <ross.burton@intel.com>
6
7 BASH PATCH REPORT
8 =================
9
10Bash-Release: 4.3
11Patch-ID: bash43-025
12
13Bug-Reported-by: Stephane Chazelas <stephane.chazelas@gmail.com>
14Bug-Reference-ID:
15Bug-Reference-URL:
16
17Bug-Description:
18
19Under certain circumstances, bash will execute user code while processing the
20environment for exported function definitions.
21
22Patch (apply with `patch -p0'):
23
24*** ../bash-4.3-patched/builtins/common.h 2013-07-08 16:54:47.000000000 -0400
25--- builtins/common.h 2014-09-12 14:25:47.000000000 -0400
26***************
27*** 34,37 ****
28--- 49,54 ----
29 #define SEVAL_PARSEONLY 0x020
30 #define SEVAL_NOLONGJMP 0x040
31+ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
32+ #define SEVAL_ONECMD 0x100 /* only allow a single command */
33
34 /* Flags for describe_command, shared between type.def and command.def */
35*** ../bash-4.3-patched/builtins/evalstring.c 2014-02-11 09:42:10.000000000 -0500
36--- builtins/evalstring.c 2014-09-14 14:15:13.000000000 -0400
37***************
38*** 309,312 ****
39--- 313,324 ----
40 struct fd_bitmap *bitmap;
41
42+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
43+ {
44+ internal_warning ("%s: ignoring function definition attempt", from_file);
45+ should_jump_to_top_level = 0;
46+ last_result = last_command_exit_value = EX_BADUSAGE;
47+ break;
48+ }
49+
50 bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
51 begin_unwind_frame ("pe_dispose");
52***************
53*** 369,372 ****
54--- 381,387 ----
55 dispose_fd_bitmap (bitmap);
56 discard_unwind_frame ("pe_dispose");
57+
58+ if (flags & SEVAL_ONECMD)
59+ break;
60 }
61 }
62*** ../bash-4.3-patched/variables.c 2014-05-15 08:26:50.000000000 -0400
63--- variables.c 2014-09-14 14:23:35.000000000 -0400
64***************
65*** 359,369 ****
66 strcpy (temp_string + char_index + 1, string);
67
68! if (posixly_correct == 0 || legal_identifier (name))
69! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
70!
71! /* Ancient backwards compatibility. Old versions of bash exported
72! functions like name()=() {...} */
73! if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
74! name[char_index - 2] = '\0';
75
76 if (temp_var = find_function (name))
77--- 364,372 ----
78 strcpy (temp_string + char_index + 1, string);
79
80! /* Don't import function names that are invalid identifiers from the
81! environment, though we still allow them to be defined as shell
82! variables. */
83! if (legal_identifier (name))
84! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
85
86 if (temp_var = find_function (name))
87***************
88*** 382,389 ****
89 report_error (_("error importing function definition for `%s'"), name);
90 }
91-
92- /* ( */
93- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
94- name[char_index - 2] = '('; /* ) */
95 }
96 #if defined (ARRAY_VARS)
97--- 385,388 ----
98*** ../bash-4.3-patched/subst.c 2014-08-11 11:16:35.000000000 -0400
99--- subst.c 2014-09-12 15:31:04.000000000 -0400
100***************
101*** 8048,8052 ****
102 goto return0;
103 }
104! else if (var = find_variable_last_nameref (temp1))
105 {
106 temp = nameref_cell (var);
107--- 8118,8124 ----
108 goto return0;
109 }
110! else if (var && (invisible_p (var) || var_isset (var) == 0))
111! temp = (char *)NULL;
112! else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
113 {
114 temp = nameref_cell (var);
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
index fe04b28e7c..5849ed0169 100644
--- a/meta/recipes-extended/bash/bash_3.2.48.bb
+++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -12,6 +12,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
12 file://mkbuiltins_have_stringize.patch \ 12 file://mkbuiltins_have_stringize.patch \
13 file://build-tests.patch \ 13 file://build-tests.patch \
14 file://test-output.patch \ 14 file://test-output.patch \
15 file://cve-2014-6271.patch;striplevel=0 \
15 file://run-ptest \ 16 file://run-ptest \
16 " 17 "
17 18
diff --git a/meta/recipes-extended/bash/bash_4.3.bb b/meta/recipes-extended/bash/bash_4.3.bb
index 25b7410c52..febaf338fa 100644
--- a/meta/recipes-extended/bash/bash_4.3.bb
+++ b/meta/recipes-extended/bash/bash_4.3.bb
@@ -9,6 +9,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
9 file://mkbuiltins_have_stringize.patch \ 9 file://mkbuiltins_have_stringize.patch \
10 file://build-tests.patch \ 10 file://build-tests.patch \
11 file://test-output.patch \ 11 file://test-output.patch \
12 file://cve-2014-6271.patch;striplevel=0 \
12 file://run-ptest \ 13 file://run-ptest \
13 " 14 "
14 15