bash: Security fix CVE-2016-0634

References to upstream patch: https://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-047 http://openwall.com/lists/oss-security/2016/09/16/8 (From OE-Core rev: 24455c63494b7030b8a337f0dad98687d15d9ce6) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-10-10 13:54:35 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-11-08 23:47:13 +0000
commit: 57531002b8be23ba24ecd53076cd337efa9accbb (patch)
tree: d49b35b9d3b27e2218312aaaa37244be1e62954c /meta
parent: c4061a0a689fd3f4e3fb5d5dd6357dc542973d45 (diff)
download: poky-57531002b8be23ba24ecd53076cd337efa9accbb.tar.gz
2 files changed, 137 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash/CVE-2016-0634.patch b/meta/recipes-extended/bash/bash/CVE-2016-0634.patch
new file mode 100644
index 0000000000..71c033e9a4
--- /dev/null
+++ b/meta/recipes-extended/bash/bash/CVE-2016-0634.patch
@@ -0,0 +1,136 @@
+Bash-Release:   4.3
+Patch-ID:       bash43-047
+Bug-Reported-by:        Bernd Dietzel
+Bug-Reference-ID:
+Bug-Reference-URL:      https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025
+Bug-Description:
+Bash performs word expansions on the prompt strings after the special
+escape sequences are expanded.  If a malicious user can modify the system
+hostname or change the name of the bash executable and coerce a user into
+executing it, and the new name contains word expansions (including
+command substitution), bash will expand them in prompt strings containing
+the \h or \H and \s escape sequences, respectively.
+Patch (apply with `patch -p0')
+CVE:  CVE-2016-0634
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+*** ../bash-4.3-patched/parse.y 2015-08-13 15:11:54.000000000 -0400
+--- parse.y     2016-03-07 15:44:14.000000000 -0500
+***************
+*** 5259,5263 ****
+    int result_size, result_index;
+    int c, n, i;
+!   char *temp, octal_string[4];
+    struct tm *tm;  
+    time_t the_time;
+--- 5259,5263 ----
+    int result_size, result_index;
+    int c, n, i;
+!   char *temp, *t_host, octal_string[4];
+    struct tm *tm;  
+    time_t the_time;
+***************
+*** 5407,5411 ****
+            case 's':
+              temp = base_pathname (shell_name);
+!             temp = savestring (temp);
+              goto add_string;
+  
+--- 5407,5415 ----
+            case 's':
+              temp = base_pathname (shell_name);
+!             /* Try to quote anything the user can set in the file system */
+!             if (promptvars || posixly_correct)
+!               temp = sh_backslash_quote_for_double_quotes (temp);
+!             else
+!               temp = savestring (temp);
+              goto add_string;
+  
+***************
+*** 5497,5503 ****
+            case 'h':
+            case 'H':
+!             temp = savestring (current_host_name);
+!             if (c == 'h' && (t = (char *)strchr (temp, '.')))
+                *t = '\0';
+              goto add_string;
+  
+--- 5501,5515 ----
+            case 'h':
+            case 'H':
+!             t_host = savestring (current_host_name);
+!             if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+                *t = '\0';
+             if (promptvars || posixly_correct)
+               /* Make sure that expand_prompt_string is called with a
+                  second argument of Q_DOUBLE_QUOTES if we use this
+                  function here. */
+               temp = sh_backslash_quote_for_double_quotes (t_host);
+             else
+               temp = savestring (t_host);
+             free (t_host);
+              goto add_string;
+  
+*** ../bash-4.3-patched/y.tab.c 2015-08-13 15:11:54.000000000 -0400
+--- y.tab.c     2016-03-07 15:44:14.000000000 -0500
+***************
+*** 7571,7575 ****
+    int result_size, result_index;
+    int c, n, i;
+!   char *temp, octal_string[4];
+    struct tm *tm;  
+    time_t the_time;
+--- 7571,7575 ----
+    int result_size, result_index;
+    int c, n, i;
+!   char *temp, *t_host, octal_string[4];
+    struct tm *tm;  
+    time_t the_time;
+***************
+*** 7719,7723 ****
+            case 's':
+              temp = base_pathname (shell_name);
+!             temp = savestring (temp);
+              goto add_string;
+  
+--- 7719,7727 ----
+            case 's':
+              temp = base_pathname (shell_name);
+!             /* Try to quote anything the user can set in the file system */
+!             if (promptvars || posixly_correct)
+!               temp = sh_backslash_quote_for_double_quotes (temp);
+!             else
+!               temp = savestring (temp);
+              goto add_string;
+  
+***************
+*** 7809,7815 ****
+            case 'h':
+            case 'H':
+!             temp = savestring (current_host_name);
+!             if (c == 'h' && (t = (char *)strchr (temp, '.')))
+                *t = '\0';
+              goto add_string;
+  
+--- 7813,7827 ----
+            case 'h':
+            case 'H':
+!             t_host = savestring (current_host_name);
+!             if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+                *t = '\0';
+             if (promptvars || posixly_correct)
+               /* Make sure that expand_prompt_string is called with a
+                  second argument of Q_DOUBLE_QUOTES if we use this
+                  function here. */
+               temp = sh_backslash_quote_for_double_quotes (t_host);
+             else
+               temp = savestring (t_host);
+             free (t_host);
+              goto add_string;
diff --git a/meta/recipes-extended/bash/bash_4.3.30.bb b/meta/recipes-extended/bash/bash_4.3.30.bb
index 95ed3925c7..fcd6cafd7a 100644
--- a/meta/recipes-extended/bash/bash_4.3.30.bb
+++ b/meta/recipes-extended/bash/bash_4.3.30.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
           file://fix-run-coproc-run-heredoc-run-execscript-run-test-f.patch \
           file://run-ptest \
           file://fix-run-builtins.patch \
+           file://CVE-2016-0634.patch;striplevel=0 \
           "
 SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-10-10 13:54:35 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-11-08 23:47:13 +0000
commit	57531002b8be23ba24ecd53076cd337efa9accbb (patch)
tree	d49b35b9d3b27e2218312aaaa37244be1e62954c /meta
parent	c4061a0a689fd3f4e3fb5d5dd6357dc542973d45 (diff)
download	poky-57531002b8be23ba24ecd53076cd337efa9accbb.tar.gz

diff --git a/meta/recipes-extended/bash/bash/CVE-2016-0634.patch b/meta/recipes-extended/bash/bash/CVE-2016-0634.patch new file mode 100644 index 0000000000..71c033e9a4 --- /dev/null +++ b/meta/recipes-extended/bash/bash/CVE-2016-0634.patch
@@ -0,0 +1,136 @@
		1	Bash-Release: 4.3
		2	Patch-ID: bash43-047
		3
		4	Bug-Reported-by: Bernd Dietzel
		5	Bug-Reference-ID:
		6	Bug-Reference-URL: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025
		7
		8	Bug-Description:
		9
		10	Bash performs word expansions on the prompt strings after the special
		11	escape sequences are expanded. If a malicious user can modify the system
		12	hostname or change the name of the bash executable and coerce a user into
		13	executing it, and the new name contains word expansions (including
		14	command substitution), bash will expand them in prompt strings containing
		15	the \h or \H and \s escape sequences, respectively.
		16
		17	Patch (apply with `patch -p0')
		18
		19	CVE: CVE-2016-0634
		20	Upstream-Status: Backport
		21	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		22
		23	*** ../bash-4.3-patched/parse.y 2015-08-13 15:11:54.000000000 -0400
		24	--- parse.y 2016-03-07 15:44:14.000000000 -0500
		25	***************
		26	* 5259,5263 **
		27	int result_size, result_index;
		28	int c, n, i;
		29	! char *temp, octal_string[4];
		30	struct tm *tm;
		31	time_t the_time;
		32	--- 5259,5263 ----
		33	int result_size, result_index;
		34	int c, n, i;
		35	! char temp, t_host, octal_string[4];
		36	struct tm *tm;
		37	time_t the_time;
		38	***************
		39	* 5407,5411 **
		40	case 's':
		41	temp = base_pathname (shell_name);
		42	! temp = savestring (temp);
		43	goto add_string;
		44
		45	--- 5407,5415 ----
		46	case 's':
		47	temp = base_pathname (shell_name);
		48	! /* Try to quote anything the user can set in the file system */
		49	! if (promptvars \|\| posixly_correct)
		50	! temp = sh_backslash_quote_for_double_quotes (temp);
		51	! else
		52	! temp = savestring (temp);
		53	goto add_string;
		54
		55	***************
		56	* 5497,5503 **
		57	case 'h':
		58	case 'H':
		59	! temp = savestring (current_host_name);
		60	! if (c == 'h' && (t = (char *)strchr (temp, '.')))
		61	*t = '\0';
		62	goto add_string;
		63
		64	--- 5501,5515 ----
		65	case 'h':
		66	case 'H':
		67	! t_host = savestring (current_host_name);
		68	! if (c == 'h' && (t = (char *)strchr (t_host, '.')))
		69	*t = '\0';
		70	+ if (promptvars \|\| posixly_correct)
		71	+ /* Make sure that expand_prompt_string is called with a
		72	+ second argument of Q_DOUBLE_QUOTES if we use this
		73	+ function here. */
		74	+ temp = sh_backslash_quote_for_double_quotes (t_host);
		75	+ else
		76	+ temp = savestring (t_host);
		77	+ free (t_host);
		78	goto add_string;
		79
		80	*** ../bash-4.3-patched/y.tab.c 2015-08-13 15:11:54.000000000 -0400
		81	--- y.tab.c 2016-03-07 15:44:14.000000000 -0500
		82	***************
		83	* 7571,7575 **
		84	int result_size, result_index;
		85	int c, n, i;
		86	! char *temp, octal_string[4];
		87	struct tm *tm;
		88	time_t the_time;
		89	--- 7571,7575 ----
		90	int result_size, result_index;
		91	int c, n, i;
		92	! char temp, t_host, octal_string[4];
		93	struct tm *tm;
		94	time_t the_time;
		95	***************
		96	* 7719,7723 **
		97	case 's':
		98	temp = base_pathname (shell_name);
		99	! temp = savestring (temp);
		100	goto add_string;
		101
		102	--- 7719,7727 ----
		103	case 's':
		104	temp = base_pathname (shell_name);
		105	! /* Try to quote anything the user can set in the file system */
		106	! if (promptvars \|\| posixly_correct)
		107	! temp = sh_backslash_quote_for_double_quotes (temp);
		108	! else
		109	! temp = savestring (temp);
		110	goto add_string;
		111
		112	***************
		113	* 7809,7815 **
		114	case 'h':
		115	case 'H':
		116	! temp = savestring (current_host_name);
		117	! if (c == 'h' && (t = (char *)strchr (temp, '.')))
		118	*t = '\0';
		119	goto add_string;
		120
		121	--- 7813,7827 ----
		122	case 'h':
		123	case 'H':
		124	! t_host = savestring (current_host_name);
		125	! if (c == 'h' && (t = (char *)strchr (t_host, '.')))
		126	*t = '\0';
		127	+ if (promptvars \|\| posixly_correct)
		128	+ /* Make sure that expand_prompt_string is called with a
		129	+ second argument of Q_DOUBLE_QUOTES if we use this
		130	+ function here. */
		131	+ temp = sh_backslash_quote_for_double_quotes (t_host);
		132	+ else
		133	+ temp = savestring (t_host);
		134	+ free (t_host);
		135	goto add_string;
		136


diff --git a/meta/recipes-extended/bash/bash_4.3.30.bb b/meta/recipes-extended/bash/bash_4.3.30.bb index 95ed3925c7..fcd6cafd7a 100644 --- a/meta/recipes-extended/bash/bash_4.3.30.bb +++ b/meta/recipes-extended/bash/bash_4.3.30.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
21	file://fix-run-coproc-run-heredoc-run-execscript-run-test-f.patch \	21	file://fix-run-coproc-run-heredoc-run-execscript-run-test-f.patch \
22	file://run-ptest \	22	file://run-ptest \
23	file://fix-run-builtins.patch \	23	file://fix-run-builtins.patch \
		24	file://CVE-2016-0634.patch;striplevel=0 \
24	"	25	"
25		26
26	SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447"	27	SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447"