diff options
-rw-r--r-- | meta/recipes-extended/bash/bash/CVE-2016-0634.patch | 136 | ||||
-rw-r--r-- | meta/recipes-extended/bash/bash_4.3.30.bb | 1 |
2 files changed, 137 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash/CVE-2016-0634.patch b/meta/recipes-extended/bash/bash/CVE-2016-0634.patch new file mode 100644 index 0000000000..71c033e9a4 --- /dev/null +++ b/meta/recipes-extended/bash/bash/CVE-2016-0634.patch | |||
@@ -0,0 +1,136 @@ | |||
1 | Bash-Release: 4.3 | ||
2 | Patch-ID: bash43-047 | ||
3 | |||
4 | Bug-Reported-by: Bernd Dietzel | ||
5 | Bug-Reference-ID: | ||
6 | Bug-Reference-URL: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025 | ||
7 | |||
8 | Bug-Description: | ||
9 | |||
10 | Bash performs word expansions on the prompt strings after the special | ||
11 | escape sequences are expanded. If a malicious user can modify the system | ||
12 | hostname or change the name of the bash executable and coerce a user into | ||
13 | executing it, and the new name contains word expansions (including | ||
14 | command substitution), bash will expand them in prompt strings containing | ||
15 | the \h or \H and \s escape sequences, respectively. | ||
16 | |||
17 | Patch (apply with `patch -p0') | ||
18 | |||
19 | CVE: CVE-2016-0634 | ||
20 | Upstream-Status: Backport | ||
21 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
22 | |||
23 | *** ../bash-4.3-patched/parse.y 2015-08-13 15:11:54.000000000 -0400 | ||
24 | --- parse.y 2016-03-07 15:44:14.000000000 -0500 | ||
25 | *************** | ||
26 | *** 5259,5263 **** | ||
27 | int result_size, result_index; | ||
28 | int c, n, i; | ||
29 | ! char *temp, octal_string[4]; | ||
30 | struct tm *tm; | ||
31 | time_t the_time; | ||
32 | --- 5259,5263 ---- | ||
33 | int result_size, result_index; | ||
34 | int c, n, i; | ||
35 | ! char *temp, *t_host, octal_string[4]; | ||
36 | struct tm *tm; | ||
37 | time_t the_time; | ||
38 | *************** | ||
39 | *** 5407,5411 **** | ||
40 | case 's': | ||
41 | temp = base_pathname (shell_name); | ||
42 | ! temp = savestring (temp); | ||
43 | goto add_string; | ||
44 | |||
45 | --- 5407,5415 ---- | ||
46 | case 's': | ||
47 | temp = base_pathname (shell_name); | ||
48 | ! /* Try to quote anything the user can set in the file system */ | ||
49 | ! if (promptvars || posixly_correct) | ||
50 | ! temp = sh_backslash_quote_for_double_quotes (temp); | ||
51 | ! else | ||
52 | ! temp = savestring (temp); | ||
53 | goto add_string; | ||
54 | |||
55 | *************** | ||
56 | *** 5497,5503 **** | ||
57 | case 'h': | ||
58 | case 'H': | ||
59 | ! temp = savestring (current_host_name); | ||
60 | ! if (c == 'h' && (t = (char *)strchr (temp, '.'))) | ||
61 | *t = '\0'; | ||
62 | goto add_string; | ||
63 | |||
64 | --- 5501,5515 ---- | ||
65 | case 'h': | ||
66 | case 'H': | ||
67 | ! t_host = savestring (current_host_name); | ||
68 | ! if (c == 'h' && (t = (char *)strchr (t_host, '.'))) | ||
69 | *t = '\0'; | ||
70 | + if (promptvars || posixly_correct) | ||
71 | + /* Make sure that expand_prompt_string is called with a | ||
72 | + second argument of Q_DOUBLE_QUOTES if we use this | ||
73 | + function here. */ | ||
74 | + temp = sh_backslash_quote_for_double_quotes (t_host); | ||
75 | + else | ||
76 | + temp = savestring (t_host); | ||
77 | + free (t_host); | ||
78 | goto add_string; | ||
79 | |||
80 | *** ../bash-4.3-patched/y.tab.c 2015-08-13 15:11:54.000000000 -0400 | ||
81 | --- y.tab.c 2016-03-07 15:44:14.000000000 -0500 | ||
82 | *************** | ||
83 | *** 7571,7575 **** | ||
84 | int result_size, result_index; | ||
85 | int c, n, i; | ||
86 | ! char *temp, octal_string[4]; | ||
87 | struct tm *tm; | ||
88 | time_t the_time; | ||
89 | --- 7571,7575 ---- | ||
90 | int result_size, result_index; | ||
91 | int c, n, i; | ||
92 | ! char *temp, *t_host, octal_string[4]; | ||
93 | struct tm *tm; | ||
94 | time_t the_time; | ||
95 | *************** | ||
96 | *** 7719,7723 **** | ||
97 | case 's': | ||
98 | temp = base_pathname (shell_name); | ||
99 | ! temp = savestring (temp); | ||
100 | goto add_string; | ||
101 | |||
102 | --- 7719,7727 ---- | ||
103 | case 's': | ||
104 | temp = base_pathname (shell_name); | ||
105 | ! /* Try to quote anything the user can set in the file system */ | ||
106 | ! if (promptvars || posixly_correct) | ||
107 | ! temp = sh_backslash_quote_for_double_quotes (temp); | ||
108 | ! else | ||
109 | ! temp = savestring (temp); | ||
110 | goto add_string; | ||
111 | |||
112 | *************** | ||
113 | *** 7809,7815 **** | ||
114 | case 'h': | ||
115 | case 'H': | ||
116 | ! temp = savestring (current_host_name); | ||
117 | ! if (c == 'h' && (t = (char *)strchr (temp, '.'))) | ||
118 | *t = '\0'; | ||
119 | goto add_string; | ||
120 | |||
121 | --- 7813,7827 ---- | ||
122 | case 'h': | ||
123 | case 'H': | ||
124 | ! t_host = savestring (current_host_name); | ||
125 | ! if (c == 'h' && (t = (char *)strchr (t_host, '.'))) | ||
126 | *t = '\0'; | ||
127 | + if (promptvars || posixly_correct) | ||
128 | + /* Make sure that expand_prompt_string is called with a | ||
129 | + second argument of Q_DOUBLE_QUOTES if we use this | ||
130 | + function here. */ | ||
131 | + temp = sh_backslash_quote_for_double_quotes (t_host); | ||
132 | + else | ||
133 | + temp = savestring (t_host); | ||
134 | + free (t_host); | ||
135 | goto add_string; | ||
136 | |||
diff --git a/meta/recipes-extended/bash/bash_4.3.30.bb b/meta/recipes-extended/bash/bash_4.3.30.bb index 95ed3925c7..fcd6cafd7a 100644 --- a/meta/recipes-extended/bash/bash_4.3.30.bb +++ b/meta/recipes-extended/bash/bash_4.3.30.bb | |||
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \ | |||
21 | file://fix-run-coproc-run-heredoc-run-execscript-run-test-f.patch \ | 21 | file://fix-run-coproc-run-heredoc-run-execscript-run-test-f.patch \ |
22 | file://run-ptest \ | 22 | file://run-ptest \ |
23 | file://fix-run-builtins.patch \ | 23 | file://fix-run-builtins.patch \ |
24 | file://CVE-2016-0634.patch;striplevel=0 \ | ||
24 | " | 25 | " |
25 | 26 | ||
26 | SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447" | 27 | SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447" |