diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch | 44 | ||||
-rw-r--r-- | meta/recipes-extended/bash/bash/cve-2014-6277.patch | 44 | ||||
-rw-r--r-- | meta/recipes-extended/bash/bash_3.2.48.bb | 1 | ||||
-rw-r--r-- | meta/recipes-extended/bash/bash_4.3.bb | 1 |
4 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch new file mode 100644 index 0000000000..ed63916669 --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | bash: Fix CVE-2014-6277 (shellshock) | ||
2 | |||
3 | Upstream-status: backport | ||
4 | |||
5 | Downloaded from: | ||
6 | ftp://ftp.gnu.org/pub/bash/bash-3.2-patches/bash32-056 | ||
7 | |||
8 | Author: Chet Ramey <chet.ramey@case.edu> | ||
9 | Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com> | ||
10 | |||
11 | BASH PATCH REPORT | ||
12 | ================= | ||
13 | |||
14 | Bash-Release: 3.2 | ||
15 | Patch-ID: bash32-056 | ||
16 | |||
17 | Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx> | ||
18 | Bug-Reference-ID: | ||
19 | Bug-Reference-URL: | ||
20 | |||
21 | Bug-Description: | ||
22 | |||
23 | When bash is parsing a function definition that contains a here-document | ||
24 | delimited by end-of-file (or end-of-string), it leaves the closing delimiter | ||
25 | uninitialized. This can result in an invalid memory access when the parsed | ||
26 | function is later copied. | ||
27 | --- | ||
28 | --- a/make_cmd.c 2006-09-12 09:21:22.000000000 -0400 | ||
29 | +++ b/make_cmd.c 2014-10-02 11:41:40.000000000 -0400 | ||
30 | @@ -677,4 +677,5 @@ | ||
31 | temp->redirector = source; | ||
32 | temp->redirectee = dest_and_filename; | ||
33 | + temp->here_doc_eof = 0; | ||
34 | temp->instruction = instruction; | ||
35 | temp->flags = 0; | ||
36 | --- a/copy_cmd.c 2003-10-07 11:43:44.000000000 -0400 | ||
37 | +++ b/copy_cmd.c 2014-10-02 11:41:40.000000000 -0400 | ||
38 | @@ -117,5 +117,5 @@ | ||
39 | case r_reading_until: | ||
40 | case r_deblank_reading_until: | ||
41 | - new_redirect->here_doc_eof = savestring (redirect->here_doc_eof); | ||
42 | + new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0; | ||
43 | /*FALLTHROUGH*/ | ||
44 | case r_reading_string: | ||
diff --git a/meta/recipes-extended/bash/bash/cve-2014-6277.patch b/meta/recipes-extended/bash/bash/cve-2014-6277.patch new file mode 100644 index 0000000000..83b40027cf --- /dev/null +++ b/meta/recipes-extended/bash/bash/cve-2014-6277.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | bash: Fix CVE-2014-6277 (shellshock) | ||
2 | |||
3 | Upstream-status: backport | ||
4 | |||
5 | Downloaded from: | ||
6 | ftp://ftp.gnu.org/pub/bash/bash-4.3-patches/bash43-029 | ||
7 | |||
8 | Author: Chet Ramey <chet.ramey@case.edu> | ||
9 | Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com> | ||
10 | |||
11 | BASH PATCH REPORT | ||
12 | ================= | ||
13 | |||
14 | Bash-Release: 4.3 | ||
15 | Patch-ID: bash43-029 | ||
16 | |||
17 | Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx> | ||
18 | Bug-Reference-ID: | ||
19 | Bug-Reference-URL: | ||
20 | |||
21 | Bug-Description: | ||
22 | |||
23 | When bash is parsing a function definition that contains a here-document | ||
24 | delimited by end-of-file (or end-of-string), it leaves the closing delimiter | ||
25 | uninitialized. This can result in an invalid memory access when the parsed | ||
26 | function is later copied. | ||
27 | --- | ||
28 | --- a/make_cmd.c 2011-12-16 08:08:01.000000000 -0500 | ||
29 | +++ b/make_cmd.c 2014-10-02 11:24:23.000000000 -0400 | ||
30 | @@ -693,4 +693,5 @@ | ||
31 | temp->redirector = source; | ||
32 | temp->redirectee = dest_and_filename; | ||
33 | + temp->here_doc_eof = 0; | ||
34 | temp->instruction = instruction; | ||
35 | temp->flags = 0; | ||
36 | --- a/copy_cmd.c 2009-09-11 16:28:02.000000000 -0400 | ||
37 | +++ b/copy_cmd.c 2014-10-02 11:24:23.000000000 -0400 | ||
38 | @@ -127,5 +127,5 @@ | ||
39 | case r_reading_until: | ||
40 | case r_deblank_reading_until: | ||
41 | - new_redirect->here_doc_eof = savestring (redirect->here_doc_eof); | ||
42 | + new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0; | ||
43 | /*FALLTHROUGH*/ | ||
44 | case r_reading_string: | ||
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb index 2b26ae75c2..4bd97e7116 100644 --- a/meta/recipes-extended/bash/bash_3.2.48.bb +++ b/meta/recipes-extended/bash/bash_3.2.48.bb | |||
@@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \ | |||
16 | file://cve-2014-7169.patch \ | 16 | file://cve-2014-7169.patch \ |
17 | file://Fix-for-bash-exported-function-namespace-change.patch \ | 17 | file://Fix-for-bash-exported-function-namespace-change.patch \ |
18 | file://cve-2014-7186_cve-2014-7187.patch \ | 18 | file://cve-2014-7186_cve-2014-7187.patch \ |
19 | file://cve-2014-6277.patch \ | ||
19 | file://run-ptest \ | 20 | file://run-ptest \ |
20 | " | 21 | " |
21 | 22 | ||
diff --git a/meta/recipes-extended/bash/bash_4.3.bb b/meta/recipes-extended/bash/bash_4.3.bb index d7bfb98660..f36c6a1710 100644 --- a/meta/recipes-extended/bash/bash_4.3.bb +++ b/meta/recipes-extended/bash/bash_4.3.bb | |||
@@ -13,6 +13,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \ | |||
13 | file://cve-2014-7169.patch \ | 13 | file://cve-2014-7169.patch \ |
14 | file://Fix-for-bash-exported-function-namespace-change.patch \ | 14 | file://Fix-for-bash-exported-function-namespace-change.patch \ |
15 | file://cve-2014-7186_cve-2014-7187.patch \ | 15 | file://cve-2014-7186_cve-2014-7187.patch \ |
16 | file://cve-2014-6277.patch \ | ||
16 | file://run-ptest \ | 17 | file://run-ptest \ |
17 | " | 18 | " |
18 | 19 | ||