From bda51ee7821de9120f6f536fcabe592f2a0c8a37 Mon Sep 17 00:00:00 2001 From: Catalin Popeanga Date: Thu, 9 Oct 2014 14:25:15 +0200 Subject: bash: Fix-for-CVE-2014-6278 This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277 See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 (From OE-Core rev: de596b5f31e837dcd2ce991245eb5548f12d72ae) Signed-off-by: Catalin Popeanga Signed-off-by: Richard Purdie --- .../bash/bash-3.2.48/cve-2014-6278.patch | 99 ++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch (limited to 'meta/recipes-extended/bash/bash-3.2.48') diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch new file mode 100644 index 0000000000..e51ce05bb5 --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch @@ -0,0 +1,99 @@ +bash: Fix CVE-2014-6278 (shellshock) + +Upstream-status: backport + +Downloaded from: +ftp://ftp.gnu.org/pub/bash/bash-3.2-patches/bash32-057 + +Author: Chet Ramey +Signed-off-by: Catalin Popeanga + + BASH PATCH REPORT + ================= + +Bash-Release: 3.2 +Patch-ID: bash32-057 + +Bug-Reported-by: Michal Zalewski +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +A combination of nested command substitutions and function importing from +the environment can cause bash to execute code appearing in the environment +variable value following the function definition. + +--- a/builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400 ++++ b/builtins/evalstring.c 2014-10-04 15:58:35.000000000 -0400 +@@ -44,4 +44,5 @@ + #include "../redir.h" + #include "../trap.h" ++#include "../bashintl.h" + + #if defined (HISTORY) +@@ -235,10 +236,23 @@ + struct fd_bitmap *bitmap; + +- if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) ++ if (flags & SEVAL_FUNCDEF) + { +- internal_warning ("%s: ignoring function definition attempt", from_file); +- should_jump_to_top_level = 0; +- last_result = last_command_exit_value = EX_BADUSAGE; +- break; ++ char *x; ++ ++ /* If the command parses to something other than a straight ++ function definition, or if we have not consumed the entire ++ string, or if the parser has transformed the function ++ name (as parsing will if it begins or ends with shell ++ whitespace, for example), reject the attempt */ ++ if (command->type != cm_function_def || ++ ((x = parser_remaining_input ()) && *x) || ++ (STREQ (from_file, command->value.Function_def->name->word) == 0)) ++ { ++ internal_warning (_("%s: ignoring function definition attempt"), from_file); ++ should_jump_to_top_level = 0; ++ last_result = last_command_exit_value = EX_BADUSAGE; ++ reset_parser (); ++ break; ++ } + } + +@@ -302,5 +316,8 @@ + + if (flags & SEVAL_ONECMD) +- break; ++ { ++ reset_parser (); ++ break; ++ } + } + } +--- a/parse.y 2014-09-30 19:43:22.000000000 -0400 ++++ b/parse.y 2014-10-04 15:58:35.000000000 -0400 +@@ -2125,4 +2125,14 @@ + } + ++char * ++parser_remaining_input () ++{ ++ if (shell_input_line == 0) ++ return 0; ++ if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len) ++ return '\0'; /* XXX */ ++ return (shell_input_line + shell_input_line_index); ++} ++ + #ifdef INCLUDE_UNUSED + /* Back the input pointer up by one, effectively `ungetting' a character. */ +--- a/shell.h 2008-04-28 22:00:24.000000000 -0400 ++++ b/shell.h 2014-10-04 15:58:35.000000000 -0400 +@@ -161,4 +161,6 @@ + + /* Let's try declaring these here. */ ++extern char *parser_remaining_input __P((void)); ++ + extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *)); + extern void restore_parser_state __P((sh_parser_state_t *)); -- cgit v1.2.3-54-g00ecf