1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
Bash-Release: 4.3
Patch-ID: bash43-047
Bug-Reported-by: Bernd Dietzel
Bug-Reference-ID:
Bug-Reference-URL: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025
Bug-Description:
Bash performs word expansions on the prompt strings after the special
escape sequences are expanded. If a malicious user can modify the system
hostname or change the name of the bash executable and coerce a user into
executing it, and the new name contains word expansions (including
command substitution), bash will expand them in prompt strings containing
the \h or \H and \s escape sequences, respectively.
Patch (apply with `patch -p0')
CVE: CVE-2016-0634
Upstream-Status: Backport
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
*** ../bash-4.3-patched/parse.y 2015-08-13 15:11:54.000000000 -0400
--- parse.y 2016-03-07 15:44:14.000000000 -0500
***************
*** 5259,5263 ****
int result_size, result_index;
int c, n, i;
! char *temp, octal_string[4];
struct tm *tm;
time_t the_time;
--- 5259,5263 ----
int result_size, result_index;
int c, n, i;
! char *temp, *t_host, octal_string[4];
struct tm *tm;
time_t the_time;
***************
*** 5407,5411 ****
case 's':
temp = base_pathname (shell_name);
! temp = savestring (temp);
goto add_string;
--- 5407,5415 ----
case 's':
temp = base_pathname (shell_name);
! /* Try to quote anything the user can set in the file system */
! if (promptvars || posixly_correct)
! temp = sh_backslash_quote_for_double_quotes (temp);
! else
! temp = savestring (temp);
goto add_string;
***************
*** 5497,5503 ****
case 'h':
case 'H':
! temp = savestring (current_host_name);
! if (c == 'h' && (t = (char *)strchr (temp, '.')))
*t = '\0';
goto add_string;
--- 5501,5515 ----
case 'h':
case 'H':
! t_host = savestring (current_host_name);
! if (c == 'h' && (t = (char *)strchr (t_host, '.')))
*t = '\0';
+ if (promptvars || posixly_correct)
+ /* Make sure that expand_prompt_string is called with a
+ second argument of Q_DOUBLE_QUOTES if we use this
+ function here. */
+ temp = sh_backslash_quote_for_double_quotes (t_host);
+ else
+ temp = savestring (t_host);
+ free (t_host);
goto add_string;
*** ../bash-4.3-patched/y.tab.c 2015-08-13 15:11:54.000000000 -0400
--- y.tab.c 2016-03-07 15:44:14.000000000 -0500
***************
*** 7571,7575 ****
int result_size, result_index;
int c, n, i;
! char *temp, octal_string[4];
struct tm *tm;
time_t the_time;
--- 7571,7575 ----
int result_size, result_index;
int c, n, i;
! char *temp, *t_host, octal_string[4];
struct tm *tm;
time_t the_time;
***************
*** 7719,7723 ****
case 's':
temp = base_pathname (shell_name);
! temp = savestring (temp);
goto add_string;
--- 7719,7727 ----
case 's':
temp = base_pathname (shell_name);
! /* Try to quote anything the user can set in the file system */
! if (promptvars || posixly_correct)
! temp = sh_backslash_quote_for_double_quotes (temp);
! else
! temp = savestring (temp);
goto add_string;
***************
*** 7809,7815 ****
case 'h':
case 'H':
! temp = savestring (current_host_name);
! if (c == 'h' && (t = (char *)strchr (temp, '.')))
*t = '\0';
goto add_string;
--- 7813,7827 ----
case 'h':
case 'H':
! t_host = savestring (current_host_name);
! if (c == 'h' && (t = (char *)strchr (t_host, '.')))
*t = '\0';
+ if (promptvars || posixly_correct)
+ /* Make sure that expand_prompt_string is called with a
+ second argument of Q_DOUBLE_QUOTES if we use this
+ function here. */
+ temp = sh_backslash_quote_for_double_quotes (t_host);
+ else
+ temp = savestring (t_host);
+ free (t_host);
goto add_string;
|
