1 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch
new file mode 100644
index 0000000000..dcb8ea44c5
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch
@@ -0,0 +1,99 @@
+bash: Fix for CVE-2014-7186 and CVE-2014-7187
+Upstream-Status: Backport {GNU Patch-ID: bash32-055}
+Downloaded from: http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-055 
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+                             BASH PATCH REPORT
+                             =================
+Bash-Release: 3.2
+Patch-ID: bash32-055
+Bug-Reported-by:        Florian Weimer <fweimer@redhat.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+Bug-Description:
+There are two local buffer overflows in parse.y that can cause the shell
+to dump core when given many here-documents attached to a single command
+or many nested loops.
+---
+--- a/parse.y   2014-09-27 12:17:16.000000000 -0400
+++ b/parse.y   2014-09-30 19:43:22.000000000 -0400
+@@ -166,4 +166,7 @@
+ static int reserved_word_acceptable __P((int));
+ static int yylex __P((void));
+
+static void push_heredoc __P((REDIRECT *));
+static char *mk_alexpansion __P((char *));
+ static int alias_expand_token __P((char *));
+ static int time_command_acceptable __P((void));
+@@ -254,5 +257,7 @@
+ /* Variables to manage the task of reading here documents, because we need to
+    defer the reading until after a complete command has been collected. */
+-static REDIRECT *redir_stack[10];
+#define HEREDOC_MAX 16
+
+static REDIRECT *redir_stack[HEREDOC_MAX];
+ int need_here_doc;
+ 
+@@ -280,5 +285,5 @@
+    index is decremented after a case, select, or for command is parsed. */
+ #define MAX_CASE_NEST  128
+-static int word_lineno[MAX_CASE_NEST];
+static int word_lineno[MAX_CASE_NEST+1];
+ static int word_top = -1;
+ 
+@@ -425,5 +430,5 @@
+                          redir.filename = $2;
+                          $$ = make_redirection (0, r_reading_until, redir);
+-                         redir_stack[need_here_doc++] = $$;
+                         push_heredoc ($$);
+                        }
+        |       NUMBER LESS_LESS WORD
+@@ -431,5 +436,5 @@
+                          redir.filename = $3;
+                          $$ = make_redirection ($1, r_reading_until, redir);
+-                         redir_stack[need_here_doc++] = $$;
+                         push_heredoc ($$);
+                        }
+        |       LESS_LESS_LESS WORD
+@@ -488,5 +493,5 @@
+                          $$ = make_redirection
+                            (0, r_deblank_reading_until, redir);
+-                         redir_stack[need_here_doc++] = $$;
+                         push_heredoc ($$);
+                        }
+        |       NUMBER LESS_LESS_MINUS WORD
+@@ -495,5 +500,5 @@
+                          $$ = make_redirection
+                            ($1, r_deblank_reading_until, redir);
+-                         redir_stack[need_here_doc++] = $$;
+                         push_heredoc ($$);
+                        }
+        |       GREATER_AND '-'
+@@ -2214,4 +2219,19 @@
+ static int esacs_needed_count;
+ 
+static void
+push_heredoc (r)
+     REDIRECT *r;
+{
+  if (need_here_doc >= HEREDOC_MAX)
+    {
+      last_command_exit_value = EX_BADUSAGE;
+      need_here_doc = 0;
+      report_syntax_error (_("maximum here-document count exceeded"));
+      reset_parser ();
+      exit_shell (last_command_exit_value);
+    }
+  redir_stack[need_here_doc++] = r;
+}
+
+ void
+ gather_here_documents ()

diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch new file mode 100644 index 0000000000..dcb8ea44c5 --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch
@@ -0,0 +1,99 @@
	1	bash: Fix for CVE-2014-7186 and CVE-2014-7187
	2
	3	Upstream-Status: Backport {GNU Patch-ID: bash32-055}
	4
	5	Downloaded from: http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-055
	6
	7	Author: Chet Ramey <chet.ramey@case.edu>
	8	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	9
	10	BASH PATCH REPORT
	11	=================
	12
	13	Bash-Release: 3.2
	14	Patch-ID: bash32-055
	15
	16	Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
	17	Bug-Reference-ID:
	18	Bug-Reference-URL:
	19
	20	Bug-Description:
	21
	22	There are two local buffer overflows in parse.y that can cause the shell
	23	to dump core when given many here-documents attached to a single command
	24	or many nested loops.
	25	---
	26	--- a/parse.y 2014-09-27 12:17:16.000000000 -0400
	27	+++ b/parse.y 2014-09-30 19:43:22.000000000 -0400
	28	@@ -166,4 +166,7 @@
	29	static int reserved_word_acceptable __P((int));
	30	static int yylex __P((void));
	31	+
	32	+static void push_heredoc __P((REDIRECT *));
	33	+static char mk_alexpansion __P((char ));
	34	static int alias_expand_token __P((char *));
	35	static int time_command_acceptable __P((void));
	36	@@ -254,5 +257,7 @@
	37	/* Variables to manage the task of reading here documents, because we need to
	38	defer the reading until after a complete command has been collected. */
	39	-static REDIRECT *redir_stack[10];
	40	+#define HEREDOC_MAX 16
	41	+
	42	+static REDIRECT *redir_stack[HEREDOC_MAX];
	43	int need_here_doc;
	44
	45	@@ -280,5 +285,5 @@
	46	index is decremented after a case, select, or for command is parsed. */
	47	#define MAX_CASE_NEST 128
	48	-static int word_lineno[MAX_CASE_NEST];
	49	+static int word_lineno[MAX_CASE_NEST+1];
	50	static int word_top = -1;
	51
	52	@@ -425,5 +430,5 @@
	53	redir.filename = $2;
	54	$$ = make_redirection (0, r_reading_until, redir);
	55	- redir_stack[need_here_doc++] = $$;
	56	+ push_heredoc ($$);
	57	}
	58	\| NUMBER LESS_LESS WORD
	59	@@ -431,5 +436,5 @@
	60	redir.filename = $3;
	61	$$ = make_redirection ($1, r_reading_until, redir);
	62	- redir_stack[need_here_doc++] = $$;
	63	+ push_heredoc ($$);
	64	}
	65	\| LESS_LESS_LESS WORD
	66	@@ -488,5 +493,5 @@
	67	$$ = make_redirection
	68	(0, r_deblank_reading_until, redir);
	69	- redir_stack[need_here_doc++] = $$;
	70	+ push_heredoc ($$);
	71	}
	72	\| NUMBER LESS_LESS_MINUS WORD
	73	@@ -495,5 +500,5 @@
	74	$$ = make_redirection
	75	($1, r_deblank_reading_until, redir);
	76	- redir_stack[need_here_doc++] = $$;
	77	+ push_heredoc ($$);
	78	}
	79	\| GREATER_AND '-'
	80	@@ -2214,4 +2219,19 @@
	81	static int esacs_needed_count;
	82
	83	+static void
	84	+push_heredoc (r)
	85	+ REDIRECT *r;
	86	+{
	87	+ if (need_here_doc >= HEREDOC_MAX)
	88	+ {
	89	+ last_command_exit_value = EX_BADUSAGE;
	90	+ need_here_doc = 0;
	91	+ report_syntax_error (_("maximum here-document count exceeded"));
	92	+ reset_parser ();
	93	+ exit_shell (last_command_exit_value);
	94	+ }
	95	+ redir_stack[need_here_doc++] = r;
	96	+}
	97	+
	98	void
	99	gather_here_documents ()