From 7a9908432f6a5ffea73bbf16cef6eb9931f7d4e3 Mon Sep 17 00:00:00 2001 From: Catalin Popeanga Date: Thu, 9 Oct 2014 14:24:29 +0200 Subject: bash: Fix for CVE-2014-7186 and CVE-2014-7187 This is a followup patch to incomplete CVE-2014-6271 fix code execution via specially-crafted environment https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 (From OE-Core daisy rev: 153d1125659df9e5c09e35a58bd51be184cb13c1) (From OE-Core rev: 32818a104ae99a5795d91a2960d48d433d542dee) Signed-off-by: Sona Sarmadi Signed-off-by: Paul Eggleton Signed-off-by: Richard Purdie --- .../bash-3.2.48/cve-2014-7186_cve-2014-7187.patch | 99 ++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch (limited to 'meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch') diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch new file mode 100644 index 0000000000..dcb8ea44c5 --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch @@ -0,0 +1,99 @@ +bash: Fix for CVE-2014-7186 and CVE-2014-7187 + +Upstream-Status: Backport {GNU Patch-ID: bash32-055} + +Downloaded from: http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-055 + +Author: Chet Ramey +Signed-off-by: Sona Sarmadi + + BASH PATCH REPORT + ================= + +Bash-Release: 3.2 +Patch-ID: bash32-055 + +Bug-Reported-by: Florian Weimer +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +There are two local buffer overflows in parse.y that can cause the shell +to dump core when given many here-documents attached to a single command +or many nested loops. +--- +--- a/parse.y 2014-09-27 12:17:16.000000000 -0400 ++++ b/parse.y 2014-09-30 19:43:22.000000000 -0400 +@@ -166,4 +166,7 @@ + static int reserved_word_acceptable __P((int)); + static int yylex __P((void)); ++ ++static void push_heredoc __P((REDIRECT *)); ++static char *mk_alexpansion __P((char *)); + static int alias_expand_token __P((char *)); + static int time_command_acceptable __P((void)); +@@ -254,5 +257,7 @@ + /* Variables to manage the task of reading here documents, because we need to + defer the reading until after a complete command has been collected. */ +-static REDIRECT *redir_stack[10]; ++#define HEREDOC_MAX 16 ++ ++static REDIRECT *redir_stack[HEREDOC_MAX]; + int need_here_doc; + +@@ -280,5 +285,5 @@ + index is decremented after a case, select, or for command is parsed. */ + #define MAX_CASE_NEST 128 +-static int word_lineno[MAX_CASE_NEST]; ++static int word_lineno[MAX_CASE_NEST+1]; + static int word_top = -1; + +@@ -425,5 +430,5 @@ + redir.filename = $2; + $$ = make_redirection (0, r_reading_until, redir); +- redir_stack[need_here_doc++] = $$; ++ push_heredoc ($$); + } + | NUMBER LESS_LESS WORD +@@ -431,5 +436,5 @@ + redir.filename = $3; + $$ = make_redirection ($1, r_reading_until, redir); +- redir_stack[need_here_doc++] = $$; ++ push_heredoc ($$); + } + | LESS_LESS_LESS WORD +@@ -488,5 +493,5 @@ + $$ = make_redirection + (0, r_deblank_reading_until, redir); +- redir_stack[need_here_doc++] = $$; ++ push_heredoc ($$); + } + | NUMBER LESS_LESS_MINUS WORD +@@ -495,5 +500,5 @@ + $$ = make_redirection + ($1, r_deblank_reading_until, redir); +- redir_stack[need_here_doc++] = $$; ++ push_heredoc ($$); + } + | GREATER_AND '-' +@@ -2214,4 +2219,19 @@ + static int esacs_needed_count; + ++static void ++push_heredoc (r) ++ REDIRECT *r; ++{ ++ if (need_here_doc >= HEREDOC_MAX) ++ { ++ last_command_exit_value = EX_BADUSAGE; ++ need_here_doc = 0; ++ report_syntax_error (_("maximum here-document count exceeded")); ++ reset_parser (); ++ exit_shell (last_command_exit_value); ++ } ++ redir_stack[need_here_doc++] = r; ++} ++ + void + gather_here_documents () -- cgit v1.2.3-54-g00ecf