bash: Fix for CVE-2014-6277
Follow up bash42-049 to parse properly function definitions in the values of environment variables, to not allow remote attackers to execute arbitrary code or to cause a denial of service. See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277 (From OE-Core daisy rev: 85961bcf81650992259cebb0ef1f1c6cdef3fefa) (From OE-Core rev: 5a802295d1f40af6f21dd3ed7e4549fe033f03a0) Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
38c91c440f
commit
731c201426
|
@ -0,0 +1,44 @@
|
||||||
|
bash: Fix CVE-2014-6277 (shellshock)
|
||||||
|
|
||||||
|
Upstream-status: backport
|
||||||
|
|
||||||
|
Downloaded from:
|
||||||
|
ftp://ftp.gnu.org/pub/bash/bash-3.2-patches/bash32-056
|
||||||
|
|
||||||
|
Author: Chet Ramey <chet.ramey@case.edu>
|
||||||
|
Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
|
||||||
|
|
||||||
|
BASH PATCH REPORT
|
||||||
|
=================
|
||||||
|
|
||||||
|
Bash-Release: 3.2
|
||||||
|
Patch-ID: bash32-056
|
||||||
|
|
||||||
|
Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
|
||||||
|
Bug-Reference-ID:
|
||||||
|
Bug-Reference-URL:
|
||||||
|
|
||||||
|
Bug-Description:
|
||||||
|
|
||||||
|
When bash is parsing a function definition that contains a here-document
|
||||||
|
delimited by end-of-file (or end-of-string), it leaves the closing delimiter
|
||||||
|
uninitialized. This can result in an invalid memory access when the parsed
|
||||||
|
function is later copied.
|
||||||
|
---
|
||||||
|
--- a/make_cmd.c 2006-09-12 09:21:22.000000000 -0400
|
||||||
|
+++ b/make_cmd.c 2014-10-02 11:41:40.000000000 -0400
|
||||||
|
@@ -677,4 +677,5 @@
|
||||||
|
temp->redirector = source;
|
||||||
|
temp->redirectee = dest_and_filename;
|
||||||
|
+ temp->here_doc_eof = 0;
|
||||||
|
temp->instruction = instruction;
|
||||||
|
temp->flags = 0;
|
||||||
|
--- a/copy_cmd.c 2003-10-07 11:43:44.000000000 -0400
|
||||||
|
+++ b/copy_cmd.c 2014-10-02 11:41:40.000000000 -0400
|
||||||
|
@@ -117,5 +117,5 @@
|
||||||
|
case r_reading_until:
|
||||||
|
case r_deblank_reading_until:
|
||||||
|
- new_redirect->here_doc_eof = savestring (redirect->here_doc_eof);
|
||||||
|
+ new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0;
|
||||||
|
/*FALLTHROUGH*/
|
||||||
|
case r_reading_string:
|
|
@ -0,0 +1,44 @@
|
||||||
|
bash: Fix CVE-2014-6277 (shellshock)
|
||||||
|
|
||||||
|
Upstream-status: backport
|
||||||
|
|
||||||
|
Downloaded from:
|
||||||
|
ftp://ftp.gnu.org/pub/bash/bash-4.3-patches/bash43-029
|
||||||
|
|
||||||
|
Author: Chet Ramey <chet.ramey@case.edu>
|
||||||
|
Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
|
||||||
|
|
||||||
|
BASH PATCH REPORT
|
||||||
|
=================
|
||||||
|
|
||||||
|
Bash-Release: 4.3
|
||||||
|
Patch-ID: bash43-029
|
||||||
|
|
||||||
|
Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
|
||||||
|
Bug-Reference-ID:
|
||||||
|
Bug-Reference-URL:
|
||||||
|
|
||||||
|
Bug-Description:
|
||||||
|
|
||||||
|
When bash is parsing a function definition that contains a here-document
|
||||||
|
delimited by end-of-file (or end-of-string), it leaves the closing delimiter
|
||||||
|
uninitialized. This can result in an invalid memory access when the parsed
|
||||||
|
function is later copied.
|
||||||
|
---
|
||||||
|
--- a/make_cmd.c 2011-12-16 08:08:01.000000000 -0500
|
||||||
|
+++ b/make_cmd.c 2014-10-02 11:24:23.000000000 -0400
|
||||||
|
@@ -693,4 +693,5 @@
|
||||||
|
temp->redirector = source;
|
||||||
|
temp->redirectee = dest_and_filename;
|
||||||
|
+ temp->here_doc_eof = 0;
|
||||||
|
temp->instruction = instruction;
|
||||||
|
temp->flags = 0;
|
||||||
|
--- a/copy_cmd.c 2009-09-11 16:28:02.000000000 -0400
|
||||||
|
+++ b/copy_cmd.c 2014-10-02 11:24:23.000000000 -0400
|
||||||
|
@@ -127,5 +127,5 @@
|
||||||
|
case r_reading_until:
|
||||||
|
case r_deblank_reading_until:
|
||||||
|
- new_redirect->here_doc_eof = savestring (redirect->here_doc_eof);
|
||||||
|
+ new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0;
|
||||||
|
/*FALLTHROUGH*/
|
||||||
|
case r_reading_string:
|
|
@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
|
||||||
file://cve-2014-7169.patch \
|
file://cve-2014-7169.patch \
|
||||||
file://Fix-for-bash-exported-function-namespace-change.patch \
|
file://Fix-for-bash-exported-function-namespace-change.patch \
|
||||||
file://cve-2014-7186_cve-2014-7187.patch \
|
file://cve-2014-7186_cve-2014-7187.patch \
|
||||||
|
file://cve-2014-6277.patch \
|
||||||
file://run-ptest \
|
file://run-ptest \
|
||||||
"
|
"
|
||||||
|
|
||||||
|
|
|
@ -25,6 +25,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
|
||||||
file://cve-2014-7169.patch \
|
file://cve-2014-7169.patch \
|
||||||
file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \
|
file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \
|
||||||
file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \
|
file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \
|
||||||
|
file://cve-2014-6277.patch \
|
||||||
file://run-ptest \
|
file://run-ptest \
|
||||||
"
|
"
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue