diff options
author | Li Zhou <li.zhou@windriver.com> | 2017-02-13 10:53:24 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-02-15 20:06:44 -0800 |
commit | 1b2857a781b6666feaf5d3c91dc02ac263d0c4f6 (patch) | |
tree | bb7a01c901c1601be9514130d451730f2ec2b959 /meta | |
parent | 70907e352e62c45566b07c4fca1d116ca8d1bbe5 (diff) | |
download | poky-1b2857a781b6666feaf5d3c91dc02ac263d0c4f6.tar.gz |
bash: fix CVE-2016-9401
popd in bash might allow local users to bypass the restricted shell
and cause a use-after-free via a crafted address.
Porting patch from <https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/
bash44-006> to solve CVE-2016-9401.
(From OE-Core rev: 6987b317d5ce8dc50a37ebba395aa8424bec358c)
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-extended/bash/bash/CVE-2016-9401.patch | 50 | ||||
-rw-r--r-- | meta/recipes-extended/bash/bash_4.3.30.bb | 1 |
2 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash/CVE-2016-9401.patch b/meta/recipes-extended/bash/bash/CVE-2016-9401.patch new file mode 100644 index 0000000000..28c927743c --- /dev/null +++ b/meta/recipes-extended/bash/bash/CVE-2016-9401.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From fa741771ed47b30547be63b5b5dbfb51977aca12 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chet Ramey <chet.ramey@case.edu> | ||
3 | Date: Fri, 20 Jan 2017 11:47:31 -0500 | ||
4 | Subject: [PATCH] Bash-4.4 patch 6 | ||
5 | |||
6 | Bug-Reference-URL: | ||
7 | https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00116.html | ||
8 | |||
9 | Reference to upstream patch: | ||
10 | https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/bash44-006 | ||
11 | |||
12 | Bug-Description: | ||
13 | Out-of-range negative offsets to popd can cause the shell to crash attempting | ||
14 | to free an invalid memory block. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | CVE: CVE-2016-9401 | ||
18 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
19 | --- | ||
20 | builtins/pushd.def | 7 ++++++- | ||
21 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/builtins/pushd.def b/builtins/pushd.def | ||
24 | index 9c6548f..8a13bae 100644 | ||
25 | --- a/builtins/pushd.def | ||
26 | +++ b/builtins/pushd.def | ||
27 | @@ -359,7 +359,7 @@ popd_builtin (list) | ||
28 | break; | ||
29 | } | ||
30 | |||
31 | - if (which > directory_list_offset || (directory_list_offset == 0 && which == 0)) | ||
32 | + if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0)) | ||
33 | { | ||
34 | pushd_error (directory_list_offset, which_word ? which_word : ""); | ||
35 | return (EXECUTION_FAILURE); | ||
36 | @@ -381,6 +381,11 @@ popd_builtin (list) | ||
37 | remove that directory from the list and shift the remainder | ||
38 | of the list into place. */ | ||
39 | i = (direction == '+') ? directory_list_offset - which : which; | ||
40 | + if (i < 0 || i > directory_list_offset) | ||
41 | + { | ||
42 | + pushd_error (directory_list_offset, which_word ? which_word : ""); | ||
43 | + return (EXECUTION_FAILURE); | ||
44 | + } | ||
45 | free (pushd_directory_list[i]); | ||
46 | directory_list_offset--; | ||
47 | |||
48 | -- | ||
49 | 1.9.1 | ||
50 | |||
diff --git a/meta/recipes-extended/bash/bash_4.3.30.bb b/meta/recipes-extended/bash/bash_4.3.30.bb index 765562fbdd..e398e87b60 100644 --- a/meta/recipes-extended/bash/bash_4.3.30.bb +++ b/meta/recipes-extended/bash/bash_4.3.30.bb | |||
@@ -30,6 +30,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \ | |||
30 | file://fix-run-builtins.patch \ | 30 | file://fix-run-builtins.patch \ |
31 | file://0001-help-fix-printf-format-security-warning.patch \ | 31 | file://0001-help-fix-printf-format-security-warning.patch \ |
32 | file://fix-run-intl.patch \ | 32 | file://fix-run-intl.patch \ |
33 | file://CVE-2016-9401.patch \ | ||
33 | " | 34 | " |
34 | 35 | ||
35 | SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447" | 36 | SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447" |