2 files changed, 96 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch
new file mode 100644
index 0000000000..20530adf6c
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch
@@ -0,0 +1,95 @@
+Fix CVE-2014-6271, aka ShellShock.  This is the upstream 4.2 patchlevel 48, minus the hunk to
+set the patch level.
+Upstream-Status: Backport
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+                             BASH PATCH REPORT
+                             =================
+Bash-Release:   4.2
+Patch-ID:       bash42-048
+Bug-Reported-by:        Stephane Chazelas <stephane.chazelas@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+Bug-Description:
+Under certain circumstances, bash will execute user code while processing the
+environment for exported function definitions.
+Patch (apply with `patch -p0'):
+*** ../bash-4.2.47/builtins/common.h    2010-05-30 18:31:51.000000000 -0400
+--- builtins/common.h   2014-09-16 19:35:45.000000000 -0400
+***************
+*** 36,39 ****
+--- 36,41 ----
+  
+  /* Flags for describe_command, shared between type.def and command.def */
+ #define SEVAL_FUNCDEF 0x080           /* only allow function definitions */
+ #define SEVAL_ONECMD  0x100           /* only allow a single command */
+  #define CDESC_ALL             0x001   /* type -a */
+  #define CDESC_SHORTDESC               0x002   /* command -V */
+*** ../bash-4.2.47/builtins/evalstring.c        2010-11-23 08:22:15.000000000 -0500
+--- builtins/evalstring.c       2014-09-16 19:35:45.000000000 -0400
+***************
+*** 262,265 ****
+--- 262,273 ----
+              struct fd_bitmap *bitmap;
+  
+             if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+               {
+                 internal_warning ("%s: ignoring function definition attempt", from_file);
+                 should_jump_to_top_level = 0;
+                 last_result = last_command_exit_value = EX_BADUSAGE;
+                 break;
+               }
+ 
+              bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+              begin_unwind_frame ("pe_dispose");
+***************
+*** 322,325 ****
+--- 330,336 ----
+              dispose_fd_bitmap (bitmap);
+              discard_unwind_frame ("pe_dispose");
+ 
+             if (flags & SEVAL_ONECMD)
+               break;
+            }
+        }
+*** ../bash-4.2.47/variables.c  2011-03-01 16:15:20.000000000 -0500
+--- variables.c 2014-09-16 19:35:45.000000000 -0400
+***************
+*** 348,357 ****
+          strcpy (temp_string + char_index + 1, string);
+  
+!         parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+! 
+!         /* Ancient backwards compatibility.  Old versions of bash exported
+!            functions like name()=() {...} */
+!         if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+!           name[char_index - 2] = '\0';
+  
+          if (temp_var = find_function (name))
+--- 348,355 ----
+          strcpy (temp_string + char_index + 1, string);
+  
+!         /* Don't import function names that are invalid identifiers from the
+!            environment. */
+!         if (legal_identifier (name))
+!           parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+  
+          if (temp_var = find_function (name))
+***************
+*** 362,369 ****
+          else
+            report_error (_("error importing function definition for `%s'"), name);
+- 
+-         /* ( */
+-         if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+-           name[char_index - 2] = '(';         /* ) */
+        }
+  #if defined (ARRAY_VARS)
+--- 360,363 ----
diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb
index fefe7b799d..cb95445fc8 100644
--- a/meta/recipes-extended/bash/bash_4.2.bb
+++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
           file://mkbuiltins_have_stringize.patch \
           file://build-tests.patch \
           file://test-output.patch \
+           file://cve-2014-6271.patch;striplevel=0 \
           file://run-ptest \
           "

diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch new file mode 100644 index 0000000000..20530adf6c --- /dev/null +++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch
@@ -0,0 +1,95 @@
		1	Fix CVE-2014-6271, aka ShellShock. This is the upstream 4.2 patchlevel 48, minus the hunk to
		2	set the patch level.
		3
		4	Upstream-Status: Backport
		5	Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
		6
		7	BASH PATCH REPORT
		8	=================
		9
		10	Bash-Release: 4.2
		11	Patch-ID: bash42-048
		12
		13	Bug-Reported-by: Stephane Chazelas <stephane.chazelas@gmail.com>
		14	Bug-Reference-ID:
		15	Bug-Reference-URL:
		16
		17	Bug-Description:
		18
		19	Under certain circumstances, bash will execute user code while processing the
		20	environment for exported function definitions.
		21
		22	Patch (apply with `patch -p0'):
		23
		24	*** ../bash-4.2.47/builtins/common.h 2010-05-30 18:31:51.000000000 -0400
		25	--- builtins/common.h 2014-09-16 19:35:45.000000000 -0400
		26	***************
		27	* 36,39 **
		28	--- 36,41 ----
		29
		30	/* Flags for describe_command, shared between type.def and command.def */
		31	+ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
		32	+ #define SEVAL_ONECMD 0x100 /* only allow a single command */
		33	#define CDESC_ALL 0x001 /* type -a */
		34	#define CDESC_SHORTDESC 0x002 /* command -V */
		35	*** ../bash-4.2.47/builtins/evalstring.c 2010-11-23 08:22:15.000000000 -0500
		36	--- builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400
		37	***************
		38	* 262,265 **
		39	--- 262,273 ----
		40	struct fd_bitmap *bitmap;
		41
		42	+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
		43	+ {
		44	+ internal_warning ("%s: ignoring function definition attempt", from_file);
		45	+ should_jump_to_top_level = 0;
		46	+ last_result = last_command_exit_value = EX_BADUSAGE;
		47	+ break;
		48	+ }
		49	+
		50	bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
		51	begin_unwind_frame ("pe_dispose");
		52	***************
		53	* 322,325 **
		54	--- 330,336 ----
		55	dispose_fd_bitmap (bitmap);
		56	discard_unwind_frame ("pe_dispose");
		57	+
		58	+ if (flags & SEVAL_ONECMD)
		59	+ break;
		60	}
		61	}
		62	*** ../bash-4.2.47/variables.c 2011-03-01 16:15:20.000000000 -0500
		63	--- variables.c 2014-09-16 19:35:45.000000000 -0400
		64	***************
		65	* 348,357 **
		66	strcpy (temp_string + char_index + 1, string);
		67
		68	! parse_and_execute (temp_string, name, SEVAL_NONINT\|SEVAL_NOHIST);
		69	!
		70	! /* Ancient backwards compatibility. Old versions of bash exported
		71	! functions like name()=() {...} */
		72	! if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
		73	! name[char_index - 2] = '\0';
		74
		75	if (temp_var = find_function (name))
		76	--- 348,355 ----
		77	strcpy (temp_string + char_index + 1, string);
		78
		79	! /* Don't import function names that are invalid identifiers from the
		80	! environment. */
		81	! if (legal_identifier (name))
		82	! parse_and_execute (temp_string, name, SEVAL_NONINT\|SEVAL_NOHIST\|SEVAL_FUNCDEF\|SEVAL_ONECMD);
		83
		84	if (temp_var = find_function (name))
		85	***************
		86	* 362,369 **
		87	else
		88	report_error (_("error importing function definition for `%s'"), name);
		89	-
		90	- /* ( */
		91	- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
		92	- name[char_index - 2] = '('; /* ) */
		93	}
		94	#if defined (ARRAY_VARS)
		95	--- 360,363 ----


diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb index fefe7b799d..cb95445fc8 100644 --- a/meta/recipes-extended/bash/bash_4.2.bb +++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
21	file://mkbuiltins_have_stringize.patch \	21	file://mkbuiltins_have_stringize.patch \
22	file://build-tests.patch \	22	file://build-tests.patch \
23	file://test-output.patch \	23	file://test-output.patch \
		24	file://cve-2014-6271.patch;striplevel=0 \
24	file://run-ptest \	25	file://run-ptest \
25	"	26	"
26		27