168 lines
4.8 KiB
Diff
168 lines
4.8 KiB
Diff
bash: Fix for CVE-2014-7186 and CVE-2014-7187
|
|
|
|
Upstream-Status: Backport {GNU Patch-ID: bash42-051}
|
|
|
|
Downloaded from: http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-051
|
|
|
|
Author: Chet Ramey <chet.ramey@case.edu>
|
|
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
|
|
BASH PATCH REPORT
|
|
=================
|
|
|
|
Bash-Release: 4.2
|
|
Patch-ID: bash42-051
|
|
|
|
Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
|
|
Bug-Reference-ID:
|
|
Bug-Reference-URL:
|
|
|
|
Bug-Description:
|
|
|
|
There are two local buffer overflows in parse.y that can cause the shell
|
|
to dump core when given many here-documents attached to a single command
|
|
or many nested loops.
|
|
|
|
Patch (apply with `patch -p0'):
|
|
|
|
*** ../bash-4.2.50/parse.y 2014-09-27 12:18:53.000000000 -0400
|
|
--- parse.y 2014-09-30 19:24:19.000000000 -0400
|
|
***************
|
|
*** 168,171 ****
|
|
--- 168,174 ----
|
|
static int reserved_word_acceptable __P((int));
|
|
static int yylex __P((void));
|
|
+
|
|
+ static void push_heredoc __P((REDIRECT *));
|
|
+ static char *mk_alexpansion __P((char *));
|
|
static int alias_expand_token __P((char *));
|
|
static int time_command_acceptable __P((void));
|
|
***************
|
|
*** 265,269 ****
|
|
/* Variables to manage the task of reading here documents, because we need to
|
|
defer the reading until after a complete command has been collected. */
|
|
! static REDIRECT *redir_stack[10];
|
|
int need_here_doc;
|
|
|
|
--- 268,274 ----
|
|
/* Variables to manage the task of reading here documents, because we need to
|
|
defer the reading until after a complete command has been collected. */
|
|
! #define HEREDOC_MAX 16
|
|
!
|
|
! static REDIRECT *redir_stack[HEREDOC_MAX];
|
|
int need_here_doc;
|
|
|
|
***************
|
|
*** 307,311 ****
|
|
index is decremented after a case, select, or for command is parsed. */
|
|
#define MAX_CASE_NEST 128
|
|
! static int word_lineno[MAX_CASE_NEST];
|
|
static int word_top = -1;
|
|
|
|
--- 312,316 ----
|
|
index is decremented after a case, select, or for command is parsed. */
|
|
#define MAX_CASE_NEST 128
|
|
! static int word_lineno[MAX_CASE_NEST+1];
|
|
static int word_top = -1;
|
|
|
|
***************
|
|
*** 520,524 ****
|
|
redir.filename = $2;
|
|
$$ = make_redirection (source, r_reading_until, redir, 0);
|
|
! redir_stack[need_here_doc++] = $$;
|
|
}
|
|
| NUMBER LESS_LESS WORD
|
|
--- 525,529 ----
|
|
redir.filename = $2;
|
|
$$ = make_redirection (source, r_reading_until, redir, 0);
|
|
! push_heredoc ($$);
|
|
}
|
|
| NUMBER LESS_LESS WORD
|
|
***************
|
|
*** 527,531 ****
|
|
redir.filename = $3;
|
|
$$ = make_redirection (source, r_reading_until, redir, 0);
|
|
! redir_stack[need_here_doc++] = $$;
|
|
}
|
|
| REDIR_WORD LESS_LESS WORD
|
|
--- 532,536 ----
|
|
redir.filename = $3;
|
|
$$ = make_redirection (source, r_reading_until, redir, 0);
|
|
! push_heredoc ($$);
|
|
}
|
|
| REDIR_WORD LESS_LESS WORD
|
|
***************
|
|
*** 534,538 ****
|
|
redir.filename = $3;
|
|
$$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
|
|
! redir_stack[need_here_doc++] = $$;
|
|
}
|
|
| LESS_LESS_MINUS WORD
|
|
--- 539,543 ----
|
|
redir.filename = $3;
|
|
$$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
|
|
! push_heredoc ($$);
|
|
}
|
|
| LESS_LESS_MINUS WORD
|
|
***************
|
|
*** 541,545 ****
|
|
redir.filename = $2;
|
|
$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
|
|
! redir_stack[need_here_doc++] = $$;
|
|
}
|
|
| NUMBER LESS_LESS_MINUS WORD
|
|
--- 546,550 ----
|
|
redir.filename = $2;
|
|
$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
|
|
! push_heredoc ($$);
|
|
}
|
|
| NUMBER LESS_LESS_MINUS WORD
|
|
***************
|
|
*** 548,552 ****
|
|
redir.filename = $3;
|
|
$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
|
|
! redir_stack[need_here_doc++] = $$;
|
|
}
|
|
| REDIR_WORD LESS_LESS_MINUS WORD
|
|
--- 553,557 ----
|
|
redir.filename = $3;
|
|
$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
|
|
! push_heredoc ($$);
|
|
}
|
|
| REDIR_WORD LESS_LESS_MINUS WORD
|
|
***************
|
|
*** 555,559 ****
|
|
redir.filename = $3;
|
|
$$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
|
|
! redir_stack[need_here_doc++] = $$;
|
|
}
|
|
| LESS_LESS_LESS WORD
|
|
--- 560,564 ----
|
|
redir.filename = $3;
|
|
$$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
|
|
! push_heredoc ($$);
|
|
}
|
|
| LESS_LESS_LESS WORD
|
|
***************
|
|
*** 2534,2537 ****
|
|
--- 2539,2557 ----
|
|
static int esacs_needed_count;
|
|
|
|
+ static void
|
|
+ push_heredoc (r)
|
|
+ REDIRECT *r;
|
|
+ {
|
|
+ if (need_here_doc >= HEREDOC_MAX)
|
|
+ {
|
|
+ last_command_exit_value = EX_BADUSAGE;
|
|
+ need_here_doc = 0;
|
|
+ report_syntax_error (_("maximum here-document count exceeded"));
|
|
+ reset_parser ();
|
|
+ exit_shell (last_command_exit_value);
|
|
+ }
|
|
+ redir_stack[need_here_doc++] = r;
|
|
+ }
|
|
+
|
|
void
|
|
gather_here_documents ()
|