bash: Fix-for-CVE-2014-6278
This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277 See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 (From OE-Core daisy rev: de596b5f31e837dcd2ce991245eb5548f12d72ae) (From OE-Core rev: 1e155330f6cf132997b91a7cfdfe7de319410566) Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
731c201426
commit
6d8a902fdd
|
@ -0,0 +1,99 @@
|
|||
bash: Fix CVE-2014-6278 (shellshock)
|
||||
|
||||
Upstream-status: backport
|
||||
|
||||
Downloaded from:
|
||||
ftp://ftp.gnu.org/pub/bash/bash-3.2-patches/bash32-057
|
||||
|
||||
Author: Chet Ramey <chet.ramey@case.edu>
|
||||
Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
|
||||
|
||||
BASH PATCH REPORT
|
||||
=================
|
||||
|
||||
Bash-Release: 3.2
|
||||
Patch-ID: bash32-057
|
||||
|
||||
Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
|
||||
Bug-Reference-ID:
|
||||
Bug-Reference-URL:
|
||||
|
||||
Bug-Description:
|
||||
|
||||
A combination of nested command substitutions and function importing from
|
||||
the environment can cause bash to execute code appearing in the environment
|
||||
variable value following the function definition.
|
||||
|
||||
--- a/builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400
|
||||
+++ b/builtins/evalstring.c 2014-10-04 15:58:35.000000000 -0400
|
||||
@@ -44,4 +44,5 @@
|
||||
#include "../redir.h"
|
||||
#include "../trap.h"
|
||||
+#include "../bashintl.h"
|
||||
|
||||
#if defined (HISTORY)
|
||||
@@ -235,10 +236,23 @@
|
||||
struct fd_bitmap *bitmap;
|
||||
|
||||
- if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
|
||||
+ if (flags & SEVAL_FUNCDEF)
|
||||
{
|
||||
- internal_warning ("%s: ignoring function definition attempt", from_file);
|
||||
- should_jump_to_top_level = 0;
|
||||
- last_result = last_command_exit_value = EX_BADUSAGE;
|
||||
- break;
|
||||
+ char *x;
|
||||
+
|
||||
+ /* If the command parses to something other than a straight
|
||||
+ function definition, or if we have not consumed the entire
|
||||
+ string, or if the parser has transformed the function
|
||||
+ name (as parsing will if it begins or ends with shell
|
||||
+ whitespace, for example), reject the attempt */
|
||||
+ if (command->type != cm_function_def ||
|
||||
+ ((x = parser_remaining_input ()) && *x) ||
|
||||
+ (STREQ (from_file, command->value.Function_def->name->word) == 0))
|
||||
+ {
|
||||
+ internal_warning (_("%s: ignoring function definition attempt"), from_file);
|
||||
+ should_jump_to_top_level = 0;
|
||||
+ last_result = last_command_exit_value = EX_BADUSAGE;
|
||||
+ reset_parser ();
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
|
||||
@@ -302,5 +316,8 @@
|
||||
|
||||
if (flags & SEVAL_ONECMD)
|
||||
- break;
|
||||
+ {
|
||||
+ reset_parser ();
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
--- a/parse.y 2014-09-30 19:43:22.000000000 -0400
|
||||
+++ b/parse.y 2014-10-04 15:58:35.000000000 -0400
|
||||
@@ -2125,4 +2125,14 @@
|
||||
}
|
||||
|
||||
+char *
|
||||
+parser_remaining_input ()
|
||||
+{
|
||||
+ if (shell_input_line == 0)
|
||||
+ return 0;
|
||||
+ if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)
|
||||
+ return '\0'; /* XXX */
|
||||
+ return (shell_input_line + shell_input_line_index);
|
||||
+}
|
||||
+
|
||||
#ifdef INCLUDE_UNUSED
|
||||
/* Back the input pointer up by one, effectively `ungetting' a character. */
|
||||
--- a/shell.h 2008-04-28 22:00:24.000000000 -0400
|
||||
+++ b/shell.h 2014-10-04 15:58:35.000000000 -0400
|
||||
@@ -161,4 +161,6 @@
|
||||
|
||||
/* Let's try declaring these here. */
|
||||
+extern char *parser_remaining_input __P((void));
|
||||
+
|
||||
extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));
|
||||
extern void restore_parser_state __P((sh_parser_state_t *));
|
|
@ -0,0 +1,127 @@
|
|||
bash: Fix CVE-2014-6278 (shellshock)
|
||||
|
||||
Upstream-status: backport
|
||||
|
||||
Downloaded from:
|
||||
http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-053
|
||||
|
||||
Author: Chet Ramey <chet.ramey@case.edu>
|
||||
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
||||
|
||||
BASH PATCH REPORT
|
||||
=================
|
||||
|
||||
Bash-Release: 4.2
|
||||
Patch-ID: bash42-053
|
||||
|
||||
Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
|
||||
Bug-Reference-ID:
|
||||
Bug-Reference-URL:
|
||||
|
||||
Bug-Description:
|
||||
|
||||
A combination of nested command substitutions and function importing from
|
||||
the environment can cause bash to execute code appearing in the environment
|
||||
variable value following the function definition.
|
||||
|
||||
Patch (apply with `patch -p0'):
|
||||
|
||||
*** ../bash-4.2.52/builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400
|
||||
--- builtins/evalstring.c 2014-10-04 15:00:26.000000000 -0400
|
||||
***************
|
||||
*** 262,271 ****
|
||||
struct fd_bitmap *bitmap;
|
||||
|
||||
! if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
|
||||
{
|
||||
! internal_warning ("%s: ignoring function definition attempt", from_file);
|
||||
! should_jump_to_top_level = 0;
|
||||
! last_result = last_command_exit_value = EX_BADUSAGE;
|
||||
! break;
|
||||
}
|
||||
|
||||
--- 262,284 ----
|
||||
struct fd_bitmap *bitmap;
|
||||
|
||||
! if (flags & SEVAL_FUNCDEF)
|
||||
{
|
||||
! char *x;
|
||||
!
|
||||
! /* If the command parses to something other than a straight
|
||||
! function definition, or if we have not consumed the entire
|
||||
! string, or if the parser has transformed the function
|
||||
! name (as parsing will if it begins or ends with shell
|
||||
! whitespace, for example), reject the attempt */
|
||||
! if (command->type != cm_function_def ||
|
||||
! ((x = parser_remaining_input ()) && *x) ||
|
||||
! (STREQ (from_file, command->value.Function_def->name->word) == 0))
|
||||
! {
|
||||
! internal_warning (_("%s: ignoring function definition attempt"), from_file);
|
||||
! should_jump_to_top_level = 0;
|
||||
! last_result = last_command_exit_value = EX_BADUSAGE;
|
||||
! reset_parser ();
|
||||
! break;
|
||||
! }
|
||||
}
|
||||
|
||||
***************
|
||||
*** 332,336 ****
|
||||
|
||||
if (flags & SEVAL_ONECMD)
|
||||
! break;
|
||||
}
|
||||
}
|
||||
--- 345,352 ----
|
||||
|
||||
if (flags & SEVAL_ONECMD)
|
||||
! {
|
||||
! reset_parser ();
|
||||
! break;
|
||||
! }
|
||||
}
|
||||
}
|
||||
*** ../bash-4.2.52/parse.y 2014-09-30 19:24:19.000000000 -0400
|
||||
--- parse.y 2014-10-04 15:00:26.000000000 -0400
|
||||
***************
|
||||
*** 2436,2439 ****
|
||||
--- 2436,2449 ----
|
||||
}
|
||||
|
||||
+ char *
|
||||
+ parser_remaining_input ()
|
||||
+ {
|
||||
+ if (shell_input_line == 0)
|
||||
+ return 0;
|
||||
+ if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)
|
||||
+ return '\0'; /* XXX */
|
||||
+ return (shell_input_line + shell_input_line_index);
|
||||
+ }
|
||||
+
|
||||
#ifdef INCLUDE_UNUSED
|
||||
/* Back the input pointer up by one, effectively `ungetting' a character. */
|
||||
***************
|
||||
*** 3891,3896 ****
|
||||
/* reset_parser clears shell_input_line and associated variables */
|
||||
restore_input_line_state (&ls);
|
||||
! if (interactive)
|
||||
! token_to_read = 0;
|
||||
|
||||
/* Need to find how many characters parse_and_execute consumed, update
|
||||
--- 3901,3906 ----
|
||||
/* reset_parser clears shell_input_line and associated variables */
|
||||
restore_input_line_state (&ls);
|
||||
!
|
||||
! token_to_read = 0;
|
||||
|
||||
/* Need to find how many characters parse_and_execute consumed, update
|
||||
*** ../bash-4.2.52/shell.h 2011-11-21 18:03:32.000000000 -0500
|
||||
--- shell.h 2014-10-04 15:00:26.000000000 -0400
|
||||
***************
|
||||
*** 178,181 ****
|
||||
--- 178,183 ----
|
||||
|
||||
/* Let's try declaring these here. */
|
||||
+ extern char *parser_remaining_input __P((void));
|
||||
+
|
||||
extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));
|
||||
extern void restore_parser_state __P((sh_parser_state_t *));
|
|
@ -17,6 +17,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
|
|||
file://Fix-for-bash-exported-function-namespace-change.patch \
|
||||
file://cve-2014-7186_cve-2014-7187.patch \
|
||||
file://cve-2014-6277.patch \
|
||||
file://cve-2014-6278.patch \
|
||||
file://run-ptest \
|
||||
"
|
||||
|
||||
|
|
|
@ -26,6 +26,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
|
|||
file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \
|
||||
file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \
|
||||
file://cve-2014-6277.patch \
|
||||
file://cve-2014-6278.patch;striplevel=0 \
|
||||
file://run-ptest \
|
||||
"
|
||||
|
||||
|
|
Loading…
Reference in New Issue