bash: fix CVE-2014-6271

CVE-2014-6271 aka ShellShock. "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment." (From OE-Core master rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3) (From OE-Core rev: d57b9ce8bb97f88c329da973c3567d04d8eb07d2) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2014-10-02 11:31:54 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-10-16 16:05:55 +0200
commit: c78877b07e137f467e7feb18e15fa06400f30881 (patch)
tree: b2fe17d290ef94f4cbcd354e8680ac52c3b88277 /meta
parent: 02037d7daa1a24aecccc527a1ee6e78e1ed7c9dd (diff)
download: poky-c78877b07e137f467e7feb18e15fa06400f30881.tar.gz
4 files changed, 174 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch
new file mode 100644
index 0000000000..7226ffb665
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch
@@ -0,0 +1,77 @@
+Fix CVE-2014-6271, aka ShellShock.
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+*** ../bash-3.2.51/builtins/common.h    2006-03-06 09:38:44.000000000 -0500
+--- builtins/common.h   2014-09-16 19:08:02.000000000 -0400
+***************
+*** 34,37 ****
+--- 34,39 ----
+  
+  /* Flags for describe_command, shared between type.def and command.def */
+ #define SEVAL_FUNCDEF 0x080           /* only allow function definitions */
+ #define SEVAL_ONECMD  0x100           /* only allow a single command */
+  #define CDESC_ALL             0x001   /* type -a */
+  #define CDESC_SHORTDESC               0x002   /* command -V */
+*** ../bash-3.2.51/builtins/evalstring.c        2008-11-15 17:47:04.000000000 -0500
+--- builtins/evalstring.c       2014-09-16 19:08:02.000000000 -0400
+***************
+*** 235,238 ****
+--- 235,246 ----
+              struct fd_bitmap *bitmap;
+  
+             if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+               {
+                 internal_warning ("%s: ignoring function definition attempt", from_file);
+                 should_jump_to_top_level = 0;
+                 last_result = last_command_exit_value = EX_BADUSAGE;
+                 break;
+               }
+ 
+              bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+              begin_unwind_frame ("pe_dispose");
+***************
+*** 292,295 ****
+--- 300,306 ----
+              dispose_fd_bitmap (bitmap);
+              discard_unwind_frame ("pe_dispose");
+ 
+             if (flags & SEVAL_ONECMD)
+               break;
+            }
+        }
+*** ../bash-3.2.51/variables.c  2008-11-15 17:15:06.000000000 -0500
+--- variables.c 2014-09-16 19:10:39.000000000 -0400
+***************
+*** 319,328 ****
+          strcpy (temp_string + char_index + 1, string);
+  
+!         parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+! 
+!         /* Ancient backwards compatibility.  Old versions of bash exported
+!            functions like name()=() {...} */
+!         if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+!           name[char_index - 2] = '\0';
+  
+          if (temp_var = find_function (name))
+--- 319,326 ----
+          strcpy (temp_string + char_index + 1, string);
+  
+!         /* Don't import function names that are invalid identifiers from the
+!            environment. */
+!         if (legal_identifier (name))
+!           parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+  
+          if (temp_var = find_function (name))
+***************
+*** 333,340 ****
+          else
+            report_error (_("error importing function definition for `%s'"), name);
+- 
+-         /* ( */
+-         if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+-           name[char_index - 2] = '(';         /* ) */
+        }
+  #if defined (ARRAY_VARS)
+--- 331,334 ----
diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch
new file mode 100644
index 0000000000..20530adf6c
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch
@@ -0,0 +1,95 @@
+Fix CVE-2014-6271, aka ShellShock.  This is the upstream 4.2 patchlevel 48, minus the hunk to
+set the patch level.
+Upstream-Status: Backport
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+                             BASH PATCH REPORT
+                             =================
+Bash-Release:   4.2
+Patch-ID:       bash42-048
+Bug-Reported-by:        Stephane Chazelas <stephane.chazelas@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+Bug-Description:
+Under certain circumstances, bash will execute user code while processing the
+environment for exported function definitions.
+Patch (apply with `patch -p0'):
+*** ../bash-4.2.47/builtins/common.h    2010-05-30 18:31:51.000000000 -0400
+--- builtins/common.h   2014-09-16 19:35:45.000000000 -0400
+***************
+*** 36,39 ****
+--- 36,41 ----
+  
+  /* Flags for describe_command, shared between type.def and command.def */
+ #define SEVAL_FUNCDEF 0x080           /* only allow function definitions */
+ #define SEVAL_ONECMD  0x100           /* only allow a single command */
+  #define CDESC_ALL             0x001   /* type -a */
+  #define CDESC_SHORTDESC               0x002   /* command -V */
+*** ../bash-4.2.47/builtins/evalstring.c        2010-11-23 08:22:15.000000000 -0500
+--- builtins/evalstring.c       2014-09-16 19:35:45.000000000 -0400
+***************
+*** 262,265 ****
+--- 262,273 ----
+              struct fd_bitmap *bitmap;
+  
+             if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+               {
+                 internal_warning ("%s: ignoring function definition attempt", from_file);
+                 should_jump_to_top_level = 0;
+                 last_result = last_command_exit_value = EX_BADUSAGE;
+                 break;
+               }
+ 
+              bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+              begin_unwind_frame ("pe_dispose");
+***************
+*** 322,325 ****
+--- 330,336 ----
+              dispose_fd_bitmap (bitmap);
+              discard_unwind_frame ("pe_dispose");
+ 
+             if (flags & SEVAL_ONECMD)
+               break;
+            }
+        }
+*** ../bash-4.2.47/variables.c  2011-03-01 16:15:20.000000000 -0500
+--- variables.c 2014-09-16 19:35:45.000000000 -0400
+***************
+*** 348,357 ****
+          strcpy (temp_string + char_index + 1, string);
+  
+!         parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+! 
+!         /* Ancient backwards compatibility.  Old versions of bash exported
+!            functions like name()=() {...} */
+!         if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+!           name[char_index - 2] = '\0';
+  
+          if (temp_var = find_function (name))
+--- 348,355 ----
+          strcpy (temp_string + char_index + 1, string);
+  
+!         /* Don't import function names that are invalid identifiers from the
+!            environment. */
+!         if (legal_identifier (name))
+!           parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+  
+          if (temp_var = find_function (name))
+***************
+*** 362,369 ****
+          else
+            report_error (_("error importing function definition for `%s'"), name);
+- 
+-         /* ( */
+-         if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+-           name[char_index - 2] = '(';         /* ) */
+        }
+  #if defined (ARRAY_VARS)
+--- 360,363 ----
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
index 4e6f0f3ea1..cbe1ee6623 100644
--- a/meta/recipes-extended/bash/bash_3.2.48.bb
+++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
           ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=patch002 \
           ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=patch003 \
           file://mkbuiltins_have_stringize.patch \
+           file://cve-2014-6271.patch;striplevel=0 \
          "
 SRC_URI[tarball.md5sum] = "338dcf975a93640bb3eaa843ca42e3f8"
diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb
index fefe7b799d..83294b040a 100644
--- a/meta/recipes-extended/bash/bash_4.2.bb
+++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
           ${GNU_MIRROR}/bash/bash-4.2-patches/bash42-010;apply=yes;striplevel=0;name=patch010 \
           file://execute_cmd.patch;striplevel=0 \
           file://mkbuiltins_have_stringize.patch \
+           file://cve-2014-6271.patch;striplevel=0 \
           file://build-tests.patch \
           file://test-output.patch \
           file://run-ptest \
author	Ross Burton <ross.burton@intel.com>	2014-10-02 11:31:54 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-10-16 16:05:55 +0200
commit	c78877b07e137f467e7feb18e15fa06400f30881 (patch)
tree	b2fe17d290ef94f4cbcd354e8680ac52c3b88277 /meta
parent	02037d7daa1a24aecccc527a1ee6e78e1ed7c9dd (diff)
download	poky-c78877b07e137f467e7feb18e15fa06400f30881.tar.gz

diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch new file mode 100644 index 0000000000..7226ffb665 --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch
@@ -0,0 +1,77 @@
		1	Fix CVE-2014-6271, aka ShellShock.
		2
		3	Upstream-Status: Backport
		4	Signed-off-by: Ross Burton <ross.burton@intel.com>
		5
		6	*** ../bash-3.2.51/builtins/common.h 2006-03-06 09:38:44.000000000 -0500
		7	--- builtins/common.h 2014-09-16 19:08:02.000000000 -0400
		8	***************
		9	* 34,37 **
		10	--- 34,39 ----
		11
		12	/* Flags for describe_command, shared between type.def and command.def */
		13	+ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
		14	+ #define SEVAL_ONECMD 0x100 /* only allow a single command */
		15	#define CDESC_ALL 0x001 /* type -a */
		16	#define CDESC_SHORTDESC 0x002 /* command -V */
		17	*** ../bash-3.2.51/builtins/evalstring.c 2008-11-15 17:47:04.000000000 -0500
		18	--- builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400
		19	***************
		20	* 235,238 **
		21	--- 235,246 ----
		22	struct fd_bitmap *bitmap;
		23
		24	+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
		25	+ {
		26	+ internal_warning ("%s: ignoring function definition attempt", from_file);
		27	+ should_jump_to_top_level = 0;
		28	+ last_result = last_command_exit_value = EX_BADUSAGE;
		29	+ break;
		30	+ }
		31	+
		32	bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
		33	begin_unwind_frame ("pe_dispose");
		34	***************
		35	* 292,295 **
		36	--- 300,306 ----
		37	dispose_fd_bitmap (bitmap);
		38	discard_unwind_frame ("pe_dispose");
		39	+
		40	+ if (flags & SEVAL_ONECMD)
		41	+ break;
		42	}
		43	}
		44	*** ../bash-3.2.51/variables.c 2008-11-15 17:15:06.000000000 -0500
		45	--- variables.c 2014-09-16 19:10:39.000000000 -0400
		46	***************
		47	* 319,328 **
		48	strcpy (temp_string + char_index + 1, string);
		49
		50	! parse_and_execute (temp_string, name, SEVAL_NONINT\|SEVAL_NOHIST);
		51	!
		52	! /* Ancient backwards compatibility. Old versions of bash exported
		53	! functions like name()=() {...} */
		54	! if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
		55	! name[char_index - 2] = '\0';
		56
		57	if (temp_var = find_function (name))
		58	--- 319,326 ----
		59	strcpy (temp_string + char_index + 1, string);
		60
		61	! /* Don't import function names that are invalid identifiers from the
		62	! environment. */
		63	! if (legal_identifier (name))
		64	! parse_and_execute (temp_string, name, SEVAL_NONINT\|SEVAL_NOHIST\|SEVAL_FUNCDEF\|SEVAL_ONECMD);
		65
		66	if (temp_var = find_function (name))
		67	***************
		68	* 333,340 **
		69	else
		70	report_error (_("error importing function definition for `%s'"), name);
		71	-
		72	- /* ( */
		73	- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
		74	- name[char_index - 2] = '('; /* ) */
		75	}
		76	#if defined (ARRAY_VARS)
		77	--- 331,334 ----


diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch new file mode 100644 index 0000000000..20530adf6c --- /dev/null +++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch
@@ -0,0 +1,95 @@
		1	Fix CVE-2014-6271, aka ShellShock. This is the upstream 4.2 patchlevel 48, minus the hunk to
		2	set the patch level.
		3
		4	Upstream-Status: Backport
		5	Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
		6
		7	BASH PATCH REPORT
		8	=================
		9
		10	Bash-Release: 4.2
		11	Patch-ID: bash42-048
		12
		13	Bug-Reported-by: Stephane Chazelas <stephane.chazelas@gmail.com>
		14	Bug-Reference-ID:
		15	Bug-Reference-URL:
		16
		17	Bug-Description:
		18
		19	Under certain circumstances, bash will execute user code while processing the
		20	environment for exported function definitions.
		21
		22	Patch (apply with `patch -p0'):
		23
		24	*** ../bash-4.2.47/builtins/common.h 2010-05-30 18:31:51.000000000 -0400
		25	--- builtins/common.h 2014-09-16 19:35:45.000000000 -0400
		26	***************
		27	* 36,39 **
		28	--- 36,41 ----
		29
		30	/* Flags for describe_command, shared between type.def and command.def */
		31	+ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
		32	+ #define SEVAL_ONECMD 0x100 /* only allow a single command */
		33	#define CDESC_ALL 0x001 /* type -a */
		34	#define CDESC_SHORTDESC 0x002 /* command -V */
		35	*** ../bash-4.2.47/builtins/evalstring.c 2010-11-23 08:22:15.000000000 -0500
		36	--- builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400
		37	***************
		38	* 262,265 **
		39	--- 262,273 ----
		40	struct fd_bitmap *bitmap;
		41
		42	+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
		43	+ {
		44	+ internal_warning ("%s: ignoring function definition attempt", from_file);
		45	+ should_jump_to_top_level = 0;
		46	+ last_result = last_command_exit_value = EX_BADUSAGE;
		47	+ break;
		48	+ }
		49	+
		50	bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
		51	begin_unwind_frame ("pe_dispose");
		52	***************
		53	* 322,325 **
		54	--- 330,336 ----
		55	dispose_fd_bitmap (bitmap);
		56	discard_unwind_frame ("pe_dispose");
		57	+
		58	+ if (flags & SEVAL_ONECMD)
		59	+ break;
		60	}
		61	}
		62	*** ../bash-4.2.47/variables.c 2011-03-01 16:15:20.000000000 -0500
		63	--- variables.c 2014-09-16 19:35:45.000000000 -0400
		64	***************
		65	* 348,357 **
		66	strcpy (temp_string + char_index + 1, string);
		67
		68	! parse_and_execute (temp_string, name, SEVAL_NONINT\|SEVAL_NOHIST);
		69	!
		70	! /* Ancient backwards compatibility. Old versions of bash exported
		71	! functions like name()=() {...} */
		72	! if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
		73	! name[char_index - 2] = '\0';
		74
		75	if (temp_var = find_function (name))
		76	--- 348,355 ----
		77	strcpy (temp_string + char_index + 1, string);
		78
		79	! /* Don't import function names that are invalid identifiers from the
		80	! environment. */
		81	! if (legal_identifier (name))
		82	! parse_and_execute (temp_string, name, SEVAL_NONINT\|SEVAL_NOHIST\|SEVAL_FUNCDEF\|SEVAL_ONECMD);
		83
		84	if (temp_var = find_function (name))
		85	***************
		86	* 362,369 **
		87	else
		88	report_error (_("error importing function definition for `%s'"), name);
		89	-
		90	- /* ( */
		91	- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
		92	- name[char_index - 2] = '('; /* ) */
		93	}
		94	#if defined (ARRAY_VARS)
		95	--- 360,363 ----


diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb index 4e6f0f3ea1..cbe1ee6623 100644 --- a/meta/recipes-extended/bash/bash_3.2.48.bb +++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
10	${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=patch002 \	10	${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=patch002 \
11	${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=patch003 \	11	${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=patch003 \
12	file://mkbuiltins_have_stringize.patch \	12	file://mkbuiltins_have_stringize.patch \
		13	file://cve-2014-6271.patch;striplevel=0 \
13	"	14	"
14		15
15	SRC_URI[tarball.md5sum] = "338dcf975a93640bb3eaa843ca42e3f8"	16	SRC_URI[tarball.md5sum] = "338dcf975a93640bb3eaa843ca42e3f8"


diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb index fefe7b799d..83294b040a 100644 --- a/meta/recipes-extended/bash/bash_4.2.bb +++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
19	${GNU_MIRROR}/bash/bash-4.2-patches/bash42-010;apply=yes;striplevel=0;name=patch010 \	19	${GNU_MIRROR}/bash/bash-4.2-patches/bash42-010;apply=yes;striplevel=0;name=patch010 \
20	file://execute_cmd.patch;striplevel=0 \	20	file://execute_cmd.patch;striplevel=0 \
21	file://mkbuiltins_have_stringize.patch \	21	file://mkbuiltins_have_stringize.patch \
		22	file://cve-2014-6271.patch;striplevel=0 \
22	file://build-tests.patch \	23	file://build-tests.patch \
23	file://test-output.patch \	24	file://test-output.patch \
24	file://run-ptest \	25	file://run-ptest \