| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 09e695246d30ef9b73e743e0130e710e19793d14.
This isn't a Backport as indicated in patch and not all the changes in
this change are relevant to the CVE. Revert and wait for the fix
to be available upstream.
(From OE-Core rev: f39285bb82e68945a81034b84da09ca1078d6719)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11.
By default, if Bash is run with its effective UID not equal to its real UID,
it will drop privileges by setting its effective UID to its real UID.
However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality,
the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for
runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore
regains privileges. However, binaries running with an effective UID of 0 are unaffected.
Backport the CVE patche from https://github.com/bminor/bash/commit/
951bdaad7a18cc0dc1036bba86b18b90874d39ff to fix CVE-2019-18276
(From OE-Core rev: b348e31c93f08332667df65cd2ecec63631d184e)
Signed-off-by: Chet Ramey <chet.ramey@case.edu>
Signed-off-by: De Huo <De.Huo@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The execscript test in bash fails when run with ptest-runner calling
'su', with the error:
bash: cannot set terminal process group (16036): Inappropriate ioctl for device
Even with ptest-runner fixed to make a child process use the right
process group, 'su' still results in the warning above. Use 'setpriv'
instead. 'runuser' was considered and works but depends on pam so it's
ruled out.
Now that all bash tests are run as a user, the patch:
fix-run-coproc-run-heredoc-run-execscript-run-test-f.patch
can be removed. Also to create the account 'bashtest' in the
'run-ptest' script the bash-ptest must depend on 'shadow'. Also,
in 'run-ptest', ensure that the bash ptests are owned by the 'bashtest' user.
Add 'sed' as a dependency for ptests since tests/exp8.sub runs:
var=$'x\001y\177z'
declare -p var | sed -n l
and that results in:
sed.busybox: ""
sed.sed: declare -- var="x\001y\177z"$
This appears to be a feature that busybox sed has not implemented.
With this series of changes, bash-ptest for qemux86-64 passes
79 of 81 tests. The remaining failures are:
1. run-read:
# cat tests/read6.sub
# test read with a timeout of 0 -- input polling
# sleep with fractional seconds argument is not universal
echo abcde | { sleep 0.25 2>/dev/null ; read -t 0; }
echo $?
read -t 0 < $0
echo $?
read -t 0
echo $? <-- returns 1, when 0 is expected.
I can reproduce this on my workstation but only when using ptest-runner
and initially logging into the console as root. That's a little odd and
seems like I need to continue to improve ptest-runner.
2. run-trap:
# cat tests/trap3.sub
PS4='+[$LINENO] '
trap 'echo trap: $LINENO' ERR
set -x
echo 1
echo 2
echo 3 | cat | false <--- error
echo 4
This is a scheduler behaviour difference between the common case
on a workstation and the common case in qemu. The test case does
warn about the completion order not being deterministic so I plan
to ignore it.
>From tests/run-trap:
UNIX versions number signals and schedule processes differently.
If output differing only in line numbers is produced, please
do not consider this a test failure.
Still, it's notable and slightly odd that the common case output
is different.
(From OE-Core rev: 81e3f01867cf114b728ab5a417c29426c9bf8122)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
new-exp ptest fails as it expects non-root user.
>From the failed ptest log:
< new-exp.tests: the test suite should not be run as root
628c627
< argv[1] = <host(2)[5.0]# >
---
> argv[1] = <host(2)[5.0]$ >
FAIL: run-new-exp
Many of the ptests declare that they should not be run as root
and a few fail since the expected result strings are for a
user shell.
When ptests are run as bash_user (non-root) the glob test
fails with error:
run-glob-test
59,60d58
< touch: cannot touch 'a?': Permission denied
< touch: cannot touch 'aa': Permission denied
So ensure that the bash/ptest/tests directory is owned by the
bash_user while the tests are being run and return it to root
owner afterwards.
(From OE-Core rev: c125609886b36048cfde6e694eee7fb47f197241)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Randy Macleod <randy.macleod@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- Rebase build-tests.patch and execute_cmd.patch to 5.0
- Drop 0001-help-fix-printf-format-security-warning.patch
and pathexp-dep.patch, upstream has fixed them in commit
[d233b48 bash-5.0 distribution sources and documentation]
(From OE-Core rev: db044235e72a1519a081c4f6541f7d7cfe70d49f)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
- Drop bash-memleak-bug-fix-for-builtin-command-read.patch which has
been accepted since 4.4.17
(From OE-Core rev: ec6da604012b54769db3371a8ed9ac0be4c9d0e6)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
(From OE-Core rev: 33dadb98c10fdf04d9ed9b6ba57de6257873bcea)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Under musl bash uses its own libintl clone but there are some missing
dependencies so it is possible for pathexp.o to be built whilst libintl.h is
being written, leading to compile errors.
(From OE-Core rev: d58c20fd45f4808cbc1726ec5b46edb1c60b9cf8)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Built in command "read" with "-e" use Readline to obtain the line
in an interactive shell. In this process, a string "rlbuf" is
just allocated without free operation thus cause memory leak.
This patch had been submitted to upstream:
http://lists.gnu.org/archive/html/bug-bash/2017-02/msg00061.html
(From OE-Core rev: a2b278a6eaa9e9b48d858e3be6712267c0122598)
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Rebase patches:
- fix-run-coproc-run-heredoc-run-execscript-run-test-f.patch
- test-output.patch
2. Drop backported patches:
- CVE-2016-9401.patch
- fix-run-intl.patch
3. Add ${PN}-loadable for loadable builtins which is new features in Bash 4.4
4. The 4.4 fixed CVE-2017-5932 and CVE-2016-0634
- https://security-tracker.debian.org/tracker/CVE-2017-5932
- https://security-tracker.debian.org/tracker/CVE-2016-0634
5. The 4.4 installed include header files, fix bash-dev confilicts
with lib32-bash-dev
.....
$ bitbake lib32-core-image-sato-sdk
...
|Error: Transaction check error: file /usr/include/bash/config.h
conflicts between attempted installs
|of lib32-bash-dev-4.4-r0.x86 and bash-dev-4.4-r0.core2_64
......
(From OE-Core rev: 4097694b13cd5f0d68987551c3f9af80c87dc6ae)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
popd in bash might allow local users to bypass the restricted shell
and cause a use-after-free via a crafted address.
Porting patch from <https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/
bash44-006> to solve CVE-2016-9401.
(From OE-Core rev: 6987b317d5ce8dc50a37ebba395aa8424bec358c)
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Filter the extra white space in intl.right
When the sub-test unicode2.sub of intl.tests executed, it produced
compact results without extra white space, compared to intl.right,
it failed.
So we need to filter the extra white space in intl.right.
Import this patch for intl.right from bash devel branch:
http://git.savannah.gnu.org/cgit/bash.git/log/?h=devel
Commit is:
85ec0778f9d778e1820fb8c0e3e996f2d1103b45
2. Change intl.right correspond to the unicode3.sub's output
In sub-test unicode3.sub of intl.tests have this:
printf %q "$payload"
The payload variable was assigned by ASCII characters, when using
'%q' format strings, it means print the associated argument shell-quoted.
When the strings contain the non-alpha && non-digit && non-punctuation &&
non-ISO 646 character(7-bit), it would output like this: " $'...', ANSI-C
style quoted string. We can check the bash source code at:
http://git.savannah.gnu.org/cgit/bash.git/tree/builtins/printf.def#n557
http://git.savannah.gnu.org/cgit/bash.git/tree/lib/sh/strtrans.c#n331
So we need to change the intl.right contain the correct output of unicode3.sub.
Import parts of this patch for intl.right from bash devel branch:
http://git.savannah.gnu.org/cgit/bash.git/log/?h=devel
Commit is:
74b8cbb41398b4453d8ba04d0cdd1b25f9dcb9e3
3. Add the sanity check for locales
When run the intl.tests, we need the following locales:
en_US & fr_FR & de_DE
So add the locales check for the intl.tests in run-ptest.
(From OE-Core rev: 640676226bb351420a0a8b2d2a3c120ae42da11e)
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
| |
(From OE-Core rev: 45bc8a2c4bbe252526d5eee2547f8b9e06165e5a)
Signed-off-by: André Draszik <adraszik@tycoint.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. redirect the stderr output of the command exec with -l option to
/dev/null.
Because when we run command exec with -l option in builtins.tests,
it is a login shell, so it would read the file /etc/profile, that
file executes the /usr/bin/resize which added by commit:
cc6360f4c4d97e0000f9d3545f381224ee99ce7d
The /usr/bin/resize is produced by busybox that source code resize.c
contains:
fprintf(stderr, ESC"7" ESC"[r" ESC"[999;999H" ESC"[6n");
In the end, it outputs an escape sequence to the stderr, so when we
compare the test output file /tmp/xx with builtins.right, it failed.
we need to redirect the stderr output to the /dev/null to solve the
problem.
2. ensure the target system contains the locales "en_US.UTF-8".
Because when run the run-builtins, it executes the source5.sub file
that contain:
LC_ALL=en_US.UTF-8
such as add the following to the local.conf:
IMAGE_LINGUAS_append = " en-us"
(From OE-Core rev: 5f82f3df7d4a7d6ae9a1ea3b6bc1d620a3d6c329)
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add user 'test' to fix the failure of 'the test suite should not
be run as root'(run-execscript and run-test)
Backport test case from git://git.sv.gnu.org/bash.git to fix run-execscript
and run-heredoc
Still failed cases:
FAIL: run-intl
FAIL: run-lastpipe
FAIL: run-trap
YOCTO: 5698
(From OE-Core rev: 1096140cb1d2532ecb38ac5fbbbe13d40fdaf6af)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If srcdir is not set, we get below error while running ptest for bash
on qemu target,
-- snip --
root@qemux86:/usr/lib/bash/ptest# ./run-ptest
/bin/sh: line 0: cd: /home/ajay/Downloads/poky-fido-13.0.0/build/tmp/work/i586-poky-linux/bash/4.3-r1/bash-4.3/tests: No such file or directory
Makefile:879: recipe for target 'runtest' failed
make: *** [runtest] Error 1
root@qemux86:/usr/lib/bash/ptest# vi run-ptest
root@qemux86:/usr/lib/bash/ptest#
-- CUT --
So, set srcdir to current directory, where tests binaries exist.
[YOCTO #8145]
(From OE-Core rev: 00d94314679eb4345b5012389aa6252abe871a76)
Signed-off-by: Ajay M <ajay.gju@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We upgrade bash_4.3 to patch revision 29, and bash_3.2.48 to 56.
There are numerous community bug fixes included with this set, but the key
items are:
bash32-052 CVE-2014-6271 9/24/2014
bash32-053 CVE-2014-7169 9/26/2014
bash32-054 exported function namespace change 9/27/2014
bash32-055 CVE-2014-7186/CVE-2014-7187 10/1/2014
bash32-056 CVE-2014-6277 10/2/2014
bash43-025 CVE-2014-6271 9/24/2014
bash43-026 CVE-2014-7169 9/26/2014
bash43-027 exported function namespace change 9/27/2014
bash43-028 CVE-2014-7186/CVE-2014-7187 10/1/2014
bash43-029 CVE-2014-6277 10/2/2014
(From OE-Core rev: 43deeff0c6b0ea7729d3e5f1887dfd1647dea1da)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a followup patch to incomplete CVE-2014-6271 fix
code execution via specially-crafted environment
Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
(From OE-Core rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
(From OE-Core rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
| |
(From OE-Core rev: 3c234df240a11903ef3588a2c078dcbce4ca1719)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
The bash-4.2-patches is obsolete.
(From OE-Core rev: 31eb09a888729fcfd17d02f2a47375e10e87f79a)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
