diff options
Diffstat (limited to 'meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch')
-rw-r--r-- | meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch | 167 |
1 files changed, 167 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch new file mode 100644 index 0000000000..b51ce5f444 --- /dev/null +++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch | |||
@@ -0,0 +1,167 @@ | |||
1 | bash: Fix for CVE-2014-7186 and CVE-2014-7187 | ||
2 | |||
3 | Upstream-Status: Backport {GNU Patch-ID: bash42-051} | ||
4 | |||
5 | Downloaded from: http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-051 | ||
6 | |||
7 | Author: Chet Ramey <chet.ramey@case.edu> | ||
8 | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> | ||
9 | |||
10 | BASH PATCH REPORT | ||
11 | ================= | ||
12 | |||
13 | Bash-Release: 4.2 | ||
14 | Patch-ID: bash42-051 | ||
15 | |||
16 | Bug-Reported-by: Florian Weimer <fweimer@redhat.com> | ||
17 | Bug-Reference-ID: | ||
18 | Bug-Reference-URL: | ||
19 | |||
20 | Bug-Description: | ||
21 | |||
22 | There are two local buffer overflows in parse.y that can cause the shell | ||
23 | to dump core when given many here-documents attached to a single command | ||
24 | or many nested loops. | ||
25 | |||
26 | Patch (apply with `patch -p0'): | ||
27 | |||
28 | *** ../bash-4.2.50/parse.y 2014-09-27 12:18:53.000000000 -0400 | ||
29 | --- parse.y 2014-09-30 19:24:19.000000000 -0400 | ||
30 | *************** | ||
31 | *** 168,171 **** | ||
32 | --- 168,174 ---- | ||
33 | static int reserved_word_acceptable __P((int)); | ||
34 | static int yylex __P((void)); | ||
35 | + | ||
36 | + static void push_heredoc __P((REDIRECT *)); | ||
37 | + static char *mk_alexpansion __P((char *)); | ||
38 | static int alias_expand_token __P((char *)); | ||
39 | static int time_command_acceptable __P((void)); | ||
40 | *************** | ||
41 | *** 265,269 **** | ||
42 | /* Variables to manage the task of reading here documents, because we need to | ||
43 | defer the reading until after a complete command has been collected. */ | ||
44 | ! static REDIRECT *redir_stack[10]; | ||
45 | int need_here_doc; | ||
46 | |||
47 | --- 268,274 ---- | ||
48 | /* Variables to manage the task of reading here documents, because we need to | ||
49 | defer the reading until after a complete command has been collected. */ | ||
50 | ! #define HEREDOC_MAX 16 | ||
51 | ! | ||
52 | ! static REDIRECT *redir_stack[HEREDOC_MAX]; | ||
53 | int need_here_doc; | ||
54 | |||
55 | *************** | ||
56 | *** 307,311 **** | ||
57 | index is decremented after a case, select, or for command is parsed. */ | ||
58 | #define MAX_CASE_NEST 128 | ||
59 | ! static int word_lineno[MAX_CASE_NEST]; | ||
60 | static int word_top = -1; | ||
61 | |||
62 | --- 312,316 ---- | ||
63 | index is decremented after a case, select, or for command is parsed. */ | ||
64 | #define MAX_CASE_NEST 128 | ||
65 | ! static int word_lineno[MAX_CASE_NEST+1]; | ||
66 | static int word_top = -1; | ||
67 | |||
68 | *************** | ||
69 | *** 520,524 **** | ||
70 | redir.filename = $2; | ||
71 | $$ = make_redirection (source, r_reading_until, redir, 0); | ||
72 | ! redir_stack[need_here_doc++] = $$; | ||
73 | } | ||
74 | | NUMBER LESS_LESS WORD | ||
75 | --- 525,529 ---- | ||
76 | redir.filename = $2; | ||
77 | $$ = make_redirection (source, r_reading_until, redir, 0); | ||
78 | ! push_heredoc ($$); | ||
79 | } | ||
80 | | NUMBER LESS_LESS WORD | ||
81 | *************** | ||
82 | *** 527,531 **** | ||
83 | redir.filename = $3; | ||
84 | $$ = make_redirection (source, r_reading_until, redir, 0); | ||
85 | ! redir_stack[need_here_doc++] = $$; | ||
86 | } | ||
87 | | REDIR_WORD LESS_LESS WORD | ||
88 | --- 532,536 ---- | ||
89 | redir.filename = $3; | ||
90 | $$ = make_redirection (source, r_reading_until, redir, 0); | ||
91 | ! push_heredoc ($$); | ||
92 | } | ||
93 | | REDIR_WORD LESS_LESS WORD | ||
94 | *************** | ||
95 | *** 534,538 **** | ||
96 | redir.filename = $3; | ||
97 | $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); | ||
98 | ! redir_stack[need_here_doc++] = $$; | ||
99 | } | ||
100 | | LESS_LESS_MINUS WORD | ||
101 | --- 539,543 ---- | ||
102 | redir.filename = $3; | ||
103 | $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); | ||
104 | ! push_heredoc ($$); | ||
105 | } | ||
106 | | LESS_LESS_MINUS WORD | ||
107 | *************** | ||
108 | *** 541,545 **** | ||
109 | redir.filename = $2; | ||
110 | $$ = make_redirection (source, r_deblank_reading_until, redir, 0); | ||
111 | ! redir_stack[need_here_doc++] = $$; | ||
112 | } | ||
113 | | NUMBER LESS_LESS_MINUS WORD | ||
114 | --- 546,550 ---- | ||
115 | redir.filename = $2; | ||
116 | $$ = make_redirection (source, r_deblank_reading_until, redir, 0); | ||
117 | ! push_heredoc ($$); | ||
118 | } | ||
119 | | NUMBER LESS_LESS_MINUS WORD | ||
120 | *************** | ||
121 | *** 548,552 **** | ||
122 | redir.filename = $3; | ||
123 | $$ = make_redirection (source, r_deblank_reading_until, redir, 0); | ||
124 | ! redir_stack[need_here_doc++] = $$; | ||
125 | } | ||
126 | | REDIR_WORD LESS_LESS_MINUS WORD | ||
127 | --- 553,557 ---- | ||
128 | redir.filename = $3; | ||
129 | $$ = make_redirection (source, r_deblank_reading_until, redir, 0); | ||
130 | ! push_heredoc ($$); | ||
131 | } | ||
132 | | REDIR_WORD LESS_LESS_MINUS WORD | ||
133 | *************** | ||
134 | *** 555,559 **** | ||
135 | redir.filename = $3; | ||
136 | $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); | ||
137 | ! redir_stack[need_here_doc++] = $$; | ||
138 | } | ||
139 | | LESS_LESS_LESS WORD | ||
140 | --- 560,564 ---- | ||
141 | redir.filename = $3; | ||
142 | $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); | ||
143 | ! push_heredoc ($$); | ||
144 | } | ||
145 | | LESS_LESS_LESS WORD | ||
146 | *************** | ||
147 | *** 2534,2537 **** | ||
148 | --- 2539,2557 ---- | ||
149 | static int esacs_needed_count; | ||
150 | |||
151 | + static void | ||
152 | + push_heredoc (r) | ||
153 | + REDIRECT *r; | ||
154 | + { | ||
155 | + if (need_here_doc >= HEREDOC_MAX) | ||
156 | + { | ||
157 | + last_command_exit_value = EX_BADUSAGE; | ||
158 | + need_here_doc = 0; | ||
159 | + report_syntax_error (_("maximum here-document count exceeded")); | ||
160 | + reset_parser (); | ||
161 | + exit_shell (last_command_exit_value); | ||
162 | + } | ||
163 | + redir_stack[need_here_doc++] = r; | ||
164 | + } | ||
165 | + | ||
166 | void | ||
167 | gather_here_documents () | ||