1 files changed, 167 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch
new file mode 100644
index 0000000000..b51ce5f444
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch
@@ -0,0 +1,167 @@
+bash: Fix for CVE-2014-7186 and CVE-2014-7187
+Upstream-Status: Backport {GNU Patch-ID: bash42-051}
+Downloaded from: http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-051
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+                             BASH PATCH REPORT
+                             =================
+Bash-Release:   4.2
+Patch-ID:       bash42-051
+Bug-Reported-by:        Florian Weimer <fweimer@redhat.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+Bug-Description:
+There are two local buffer overflows in parse.y that can cause the shell
+to dump core when given many here-documents attached to a single command
+or many nested loops.
+Patch (apply with `patch -p0'):
+*** ../bash-4.2.50/parse.y      2014-09-27 12:18:53.000000000 -0400
+--- parse.y     2014-09-30 19:24:19.000000000 -0400
+***************
+*** 168,171 ****
+--- 168,174 ----
+  static int reserved_word_acceptable __P((int));
+  static int yylex __P((void));
+ 
+ static void push_heredoc __P((REDIRECT *));
+ static char *mk_alexpansion __P((char *));
+  static int alias_expand_token __P((char *));
+  static int time_command_acceptable __P((void));
+***************
+*** 265,269 ****
+  /* Variables to manage the task of reading here documents, because we need to
+     defer the reading until after a complete command has been collected. */
+! static REDIRECT *redir_stack[10];
+  int need_here_doc;
+  
+--- 268,274 ----
+  /* Variables to manage the task of reading here documents, because we need to
+     defer the reading until after a complete command has been collected. */
+! #define HEREDOC_MAX 16
+! 
+! static REDIRECT *redir_stack[HEREDOC_MAX];
+  int need_here_doc;
+  
+***************
+*** 307,311 ****
+     index is decremented after a case, select, or for command is parsed. */
+  #define MAX_CASE_NEST 128
+! static int word_lineno[MAX_CASE_NEST];
+  static int word_top = -1;
+  
+--- 312,316 ----
+     index is decremented after a case, select, or for command is parsed. */
+  #define MAX_CASE_NEST 128
+! static int word_lineno[MAX_CASE_NEST+1];
+  static int word_top = -1;
+  
+***************
+*** 520,524 ****
+                          redir.filename = $2;
+                          $$ = make_redirection (source, r_reading_until, redir, 0);
+!                         redir_stack[need_here_doc++] = $$;
+                        }
+        |       NUMBER LESS_LESS WORD
+--- 525,529 ----
+                          redir.filename = $2;
+                          $$ = make_redirection (source, r_reading_until, redir, 0);
+!                         push_heredoc ($$);
+                        }
+        |       NUMBER LESS_LESS WORD
+***************
+*** 527,531 ****
+                          redir.filename = $3;
+                          $$ = make_redirection (source, r_reading_until, redir, 0);
+!                         redir_stack[need_here_doc++] = $$;
+                        }
+        |       REDIR_WORD LESS_LESS WORD
+--- 532,536 ----
+                          redir.filename = $3;
+                          $$ = make_redirection (source, r_reading_until, redir, 0);
+!                         push_heredoc ($$);
+                        }
+        |       REDIR_WORD LESS_LESS WORD
+***************
+*** 534,538 ****
+                          redir.filename = $3;
+                          $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
+!                         redir_stack[need_here_doc++] = $$;
+                        }
+        |       LESS_LESS_MINUS WORD
+--- 539,543 ----
+                          redir.filename = $3;
+                          $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
+!                         push_heredoc ($$);
+                        }
+        |       LESS_LESS_MINUS WORD
+***************
+*** 541,545 ****
+                          redir.filename = $2;
+                          $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+!                         redir_stack[need_here_doc++] = $$;
+                        }
+        |       NUMBER LESS_LESS_MINUS WORD
+--- 546,550 ----
+                          redir.filename = $2;
+                          $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+!                         push_heredoc ($$);
+                        }
+        |       NUMBER LESS_LESS_MINUS WORD
+***************
+*** 548,552 ****
+                          redir.filename = $3;
+                          $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+!                         redir_stack[need_here_doc++] = $$;
+                        }
+        |       REDIR_WORD  LESS_LESS_MINUS WORD
+--- 553,557 ----
+                          redir.filename = $3;
+                          $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+!                         push_heredoc ($$);
+                        }
+        |       REDIR_WORD  LESS_LESS_MINUS WORD
+***************
+*** 555,559 ****
+                          redir.filename = $3;
+                          $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
+!                         redir_stack[need_here_doc++] = $$;
+                        }
+        |       LESS_LESS_LESS WORD
+--- 560,564 ----
+                          redir.filename = $3;
+                          $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
+!                         push_heredoc ($$);
+                        }
+        |       LESS_LESS_LESS WORD
+***************
+*** 2534,2537 ****
+--- 2539,2557 ----
+  static int esacs_needed_count;
+  
+ static void
+ push_heredoc (r)
+      REDIRECT *r;
+ {
+   if (need_here_doc >= HEREDOC_MAX)
+     {
+       last_command_exit_value = EX_BADUSAGE;
+       need_here_doc = 0;
+       report_syntax_error (_("maximum here-document count exceeded"));
+       reset_parser ();
+       exit_shell (last_command_exit_value);
+     }
+   redir_stack[need_here_doc++] = r;
+ }
+ 
+  void
+  gather_here_documents ()

diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch new file mode 100644 index 0000000000..b51ce5f444 --- /dev/null +++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch
@@ -0,0 +1,167 @@
	1	bash: Fix for CVE-2014-7186 and CVE-2014-7187
	2
	3	Upstream-Status: Backport {GNU Patch-ID: bash42-051}
	4
	5	Downloaded from: http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-051
	6
	7	Author: Chet Ramey <chet.ramey@case.edu>
	8	Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
	9
	10	BASH PATCH REPORT
	11	=================
	12
	13	Bash-Release: 4.2
	14	Patch-ID: bash42-051
	15
	16	Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
	17	Bug-Reference-ID:
	18	Bug-Reference-URL:
	19
	20	Bug-Description:
	21
	22	There are two local buffer overflows in parse.y that can cause the shell
	23	to dump core when given many here-documents attached to a single command
	24	or many nested loops.
	25
	26	Patch (apply with `patch -p0'):
	27
	28	*** ../bash-4.2.50/parse.y 2014-09-27 12:18:53.000000000 -0400
	29	--- parse.y 2014-09-30 19:24:19.000000000 -0400
	30	***************
	31	* 168,171 **
	32	--- 168,174 ----
	33	static int reserved_word_acceptable __P((int));
	34	static int yylex __P((void));
	35	+
	36	+ static void push_heredoc __P((REDIRECT *));
	37	+ static char mk_alexpansion __P((char ));
	38	static int alias_expand_token __P((char *));
	39	static int time_command_acceptable __P((void));
	40	***************
	41	* 265,269 **
	42	/* Variables to manage the task of reading here documents, because we need to
	43	defer the reading until after a complete command has been collected. */
	44	! static REDIRECT *redir_stack[10];
	45	int need_here_doc;
	46
	47	--- 268,274 ----
	48	/* Variables to manage the task of reading here documents, because we need to
	49	defer the reading until after a complete command has been collected. */
	50	! #define HEREDOC_MAX 16
	51	!
	52	! static REDIRECT *redir_stack[HEREDOC_MAX];
	53	int need_here_doc;
	54
	55	***************
	56	* 307,311 **
	57	index is decremented after a case, select, or for command is parsed. */
	58	#define MAX_CASE_NEST 128
	59	! static int word_lineno[MAX_CASE_NEST];
	60	static int word_top = -1;
	61
	62	--- 312,316 ----
	63	index is decremented after a case, select, or for command is parsed. */
	64	#define MAX_CASE_NEST 128
	65	! static int word_lineno[MAX_CASE_NEST+1];
	66	static int word_top = -1;
	67
	68	***************
	69	* 520,524 **
	70	redir.filename = $2;
	71	$$ = make_redirection (source, r_reading_until, redir, 0);
	72	! redir_stack[need_here_doc++] = $$;
	73	}
	74	\| NUMBER LESS_LESS WORD
	75	--- 525,529 ----
	76	redir.filename = $2;
	77	$$ = make_redirection (source, r_reading_until, redir, 0);
	78	! push_heredoc ($$);
	79	}
	80	\| NUMBER LESS_LESS WORD
	81	***************
	82	* 527,531 **
	83	redir.filename = $3;
	84	$$ = make_redirection (source, r_reading_until, redir, 0);
	85	! redir_stack[need_here_doc++] = $$;
	86	}
	87	\| REDIR_WORD LESS_LESS WORD
	88	--- 532,536 ----
	89	redir.filename = $3;
	90	$$ = make_redirection (source, r_reading_until, redir, 0);
	91	! push_heredoc ($$);
	92	}
	93	\| REDIR_WORD LESS_LESS WORD
	94	***************
	95	* 534,538 **
	96	redir.filename = $3;
	97	$$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
	98	! redir_stack[need_here_doc++] = $$;
	99	}
	100	\| LESS_LESS_MINUS WORD
	101	--- 539,543 ----
	102	redir.filename = $3;
	103	$$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
	104	! push_heredoc ($$);
	105	}
	106	\| LESS_LESS_MINUS WORD
	107	***************
	108	* 541,545 **
	109	redir.filename = $2;
	110	$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
	111	! redir_stack[need_here_doc++] = $$;
	112	}
	113	\| NUMBER LESS_LESS_MINUS WORD
	114	--- 546,550 ----
	115	redir.filename = $2;
	116	$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
	117	! push_heredoc ($$);
	118	}
	119	\| NUMBER LESS_LESS_MINUS WORD
	120	***************
	121	* 548,552 **
	122	redir.filename = $3;
	123	$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
	124	! redir_stack[need_here_doc++] = $$;
	125	}
	126	\| REDIR_WORD LESS_LESS_MINUS WORD
	127	--- 553,557 ----
	128	redir.filename = $3;
	129	$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
	130	! push_heredoc ($$);
	131	}
	132	\| REDIR_WORD LESS_LESS_MINUS WORD
	133	***************
	134	* 555,559 **
	135	redir.filename = $3;
	136	$$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
	137	! redir_stack[need_here_doc++] = $$;
	138	}
	139	\| LESS_LESS_LESS WORD
	140	--- 560,564 ----
	141	redir.filename = $3;
	142	$$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
	143	! push_heredoc ($$);
	144	}
	145	\| LESS_LESS_LESS WORD
	146	***************
	147	* 2534,2537 **
	148	--- 2539,2557 ----
	149	static int esacs_needed_count;
	150
	151	+ static void
	152	+ push_heredoc (r)
	153	+ REDIRECT *r;
	154	+ {
	155	+ if (need_here_doc >= HEREDOC_MAX)
	156	+ {
	157	+ last_command_exit_value = EX_BADUSAGE;
	158	+ need_here_doc = 0;
	159	+ report_syntax_error (_("maximum here-document count exceeded"));
	160	+ reset_parser ();
	161	+ exit_shell (last_command_exit_value);
	162	+ }
	163	+ redir_stack[need_here_doc++] = r;
	164	+ }
	165	+
	166	void
	167	gather_here_documents ()