Hello community,
here is the log from the commit of package bash for openSUSE:Factory checked in
at 2014-10-15 16:19:27
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/bash (Old)
and /work/SRC/openSUSE:Factory/.bash.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bash"
Changes:
--------
--- /work/SRC/openSUSE:Factory/bash/bash.changes 2014-09-29
12:40:46.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.bash.new/bash.changes 2014-10-15
16:19:32.000000000 +0200
@@ -1,0 +2,41 @@
+Mon Oct 6 08:07:48 UTC 2014 - wer...@suse.de
+
+- Replace patches bash-4.2-heredoc-eof-delim.patch and
+ bash-4.2-parse-exportfunc.patch with the official upstream
+ patch levels bash42-052 and bash42-053
+
+-------------------------------------------------------------------
+Thu Oct 2 13:11:50 UTC 2014 - wer...@suse.de
+
+- Replace patch bash-4.2-CVE-2014-7187.patch with upstream patch
+ level bash42-051
+
+-------------------------------------------------------------------
+Wed Oct 1 12:12:55 UTC 2014 - wer...@suse.de
+
+- Add patches
+ bash-4.2-heredoc-eof-delim.patch for bsc#898812, CVE-2014-6277:
+ more troubles with functions
+ bash-4.2-parse-exportfunc.patch for bsc#898884, CVE-2014-6278:
+ code execution after original 6271 fix
+
+-------------------------------------------------------------------
+Tue Sep 30 13:49:12 UTC 2014 - wer...@suse.de
+
+- Make bash-4.2-extra-import-func.patch an optional patch due
+ instruction
+
+-------------------------------------------------------------------
+Tue Sep 30 11:45:52 UTC 2014 - wer...@suse.de
+
+- Remove and replace patches
+ bash-4.2-CVE-2014-6271.patch
+ bash-4.2-BSC898604.patch
+ bash-4.2-CVE-2014-7169.patch
+ with bash upstream patch 48, patch 49, and patch 50
+- Add patch bash-4.2-extra-import-func.patch which is based on the
+ BSD patch of Christos. As further enhancements the option
+ import-functions is mentioned in the manual page and a shopt
+ switch is added to enable and disable import-functions on the fly
+
+-------------------------------------------------------------------
Old:
----
bash-4.2-BSC898604.patch
bash-4.2-CVE-2014-6271.patch
bash-4.2-CVE-2014-7169.patch
bash-4.2-CVE-2014-7187.patch
New:
----
bash-4.2-extra-import-func.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ bash.spec ++++++
--- /var/tmp/diff_new_pack.MoxLyF/_old 2014-10-15 16:19:35.000000000 +0200
+++ /var/tmp/diff_new_pack.MoxLyF/_new 2014-10-15 16:19:35.000000000 +0200
@@ -16,6 +16,8 @@
#
+%bcond_with import_function
+
Name: bash
BuildRequires: audit-devel
BuildRequires: autoconf
@@ -99,11 +101,8 @@
Patch43: audit-rl-patch
Patch46: man2html-no-timestamp.patch
Patch47: config-guess-sub-update.patch
-# PATCH-FIX-UPSTREAM bnc#895475 -- bnc#896776, CVE-2014-6271: unexpected code
execution with environment variables
-Patch48: bash-4.2-CVE-2014-6271.patch
-Patch49: bash-4.2-BSC898604.patch
-Patch50: bash-4.2-CVE-2014-7169.patch
-Patch51: bash-4.2-CVE-2014-7187.patch
+# PATCH-FIX-SUSE CVE-2014-6271
+Patch48: bash-4.2-extra-import-func.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%global _sysconfdir /etc
%global _incdir %{_includedir}
@@ -324,11 +323,10 @@
%patch42 -p1 -b .audit
%endif
%patch46 -p0 -b .notimestamp
-%patch47
-%patch48 -p2
-%patch49 -p0
-%patch50 -p0
-%patch51 -p0
+%patch47 -p0
+%if %{with import_function}
+%patch48 -p0
+%endif
%patch0 -p0 -b .0
pushd ../readline-%{rl_vers}%{extend}
for patch in ../readline-%{rl_vers}-patches/*; do
@@ -435,6 +433,7 @@
cflags -ftree-loop-linear CFLAGS
cflags -pipe CFLAGS
cflags -DBNC382214=0 CFLAGS
+ cflags -DIMPORT_FUNCTIONS_DEF=0 CFLAGS
cflags -Wl,--as-needed LDFLAGS
cflags -Wl,-O2 LDFLAGS
cflags -Wl,--hash-size=8599 LDFLAGS
@@ -560,10 +559,10 @@
all printenv recho zecho xcase
TMPDIR=$(mktemp -d /tmp/bash.XXXXXXXXXX) || exit 1
> $SCREENLOG
+ tail -q -s 0.5 -f $SCREENLOG & pid=$!
env -i HOME=$PWD TERM=$TERM LD_LIBRARY_PATH=$LD_LIBRARY_PATH TMPDIR=$TMPDIR \
SCREENRC=$SCREENRC SCREENDIR=$SCREENDIR \
screen -L -D -m make TESTSCRIPT=%{SOURCE4} check
- cat $SCREENLOG
make %{?do_profiling:CFLAGS="$CFLAGS %cflags_profile_feedback" clean} all
make -C examples/loadables/
make documentation
++++++ bash-4.2-extra-import-func.patch ++++++
---
builtins/shopt.def | 2 ++
doc/bash.1 | 7 +++++++
shell.c | 2 ++
variables.c | 13 ++++++++++++-
4 files changed, 23 insertions(+), 1 deletion(-)
--- shell.c
+++ shell.c 2014-09-25 20:11:51.000000000 +0000
@@ -225,6 +225,7 @@ int posixly_correct = 1; /* Non-zero mea
#else
int posixly_correct = 0; /* Non-zero means posix.2 superset. */
#endif
+int import_functions = IMPORT_FUNCTIONS_DEF; /* Import functions from
environment */
/* Some long-winded argument names. These are obviously new. */
#define Int 1
@@ -244,6 +245,7 @@ static const struct {
{ "help", Int, &want_initial_help, (char **)0x0 },
{ "init-file", Charp, (int *)0x0, &bashrc_file },
{ "login", Int, &make_login_shell, (char **)0x0 },
+ { "import-functions", Int, &import_functions, (char **)0x0 },
{ "noediting", Int, &no_line_editing, (char **)0x0 },
{ "noprofile", Int, &no_profile, (char **)0x0 },
{ "norc", Int, &no_rc, (char **)0x0 },
--- variables.c
+++ variables.c 2014-09-30 11:54:58.994735738 +0000
@@ -105,6 +105,7 @@ extern time_t shell_start_time;
extern int assigning_in_environment;
extern int executing_builtin;
extern int funcnest_max;
+extern int import_functions;
#if defined (READLINE)
extern int no_line_editing;
@@ -317,6 +318,7 @@ initialize_shell_variables (env, privmod
char *name, *string, *temp_string;
int c, char_index, string_index, string_length;
SHELL_VAR *temp_var;
+ int skipped_import;
create_variable_tables ();
@@ -341,9 +343,12 @@ initialize_shell_variables (env, privmod
temp_var = (SHELL_VAR *)NULL;
+ skipped_import = 0;
+ reval:
+
/* If exported function, define it now. Don't import functions from
the environment in privileged mode. */
- if (privmode == 0 && read_but_dont_execute == 0 &&
+ if (skipped_import == 0 && privmode == 0 && read_but_dont_execute == 0 &&
STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) &&
STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) &&
STREQN ("() {", string, 4))
@@ -356,6 +361,12 @@ initialize_shell_variables (env, privmod
tname = name + BASHFUNC_PREFLEN; /* start of func name */
tname[namelen] = '\0'; /* now tname == func name */
+ if (!import_functions && !interactive_shell) {
+ skipped_import = 1;
+ report_error (_("Skipping importing function definition for
`%s': --import-functions required."), tname);
+ goto reval;
+ }
+
string_length = strlen (string);
temp_string = (char *)xmalloc (namelen + string_length + 2);
--- builtins/shopt.def
+++ builtins/shopt.def 2014-09-30 11:58:13.714235365 +0000
@@ -89,6 +89,7 @@ extern int check_jobs_at_exit;
extern int autocd;
extern int glob_star;
extern int lastpipe_opt;
+extern int import_functions;
#if defined (EXTENDED_GLOB)
extern int extended_glob;
@@ -186,6 +187,7 @@ static struct {
{ "hostcomplete", &perform_hostname_completion,
shopt_enable_hostname_completion },
#endif
{ "huponexit", &hup_on_exit, (shopt_set_func_t *)NULL },
+ { "import-functions", &import_functions, (shopt_set_func_t *)NULL },
{ "interactive_comments", &interactive_comments, set_shellopts_after_change
},
{ "lastpipe", &lastpipe_opt, (shopt_set_func_t *)NULL },
#if defined (HISTORY)
--- doc/bash.1
+++ doc/bash.1 2014-09-30 12:09:39.698234623 +0000
@@ -235,6 +235,13 @@ The shell becomes restricted (see
.B "RESTRICTED SHELL"
below).
.TP
+.B \-\-import\-functions
+This shell is patched in such a way that shell functions in the inported
environment
+will not be expanded due several security issues (e.g. CVE\-2014\-6271). This
option
+can be used to enable this. It is also possible to use the
+.B shopt
+builtin to do this.
+.TP
.B \-\-verbose
Equivalent to \fB\-v\fP.
.TP
++++++ bash-4.2-patches.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bash-4.2-patches/bash42-048
new/bash-4.2-patches/bash42-048
--- old/bash-4.2-patches/bash42-048 1970-01-01 01:00:00.000000000 +0100
+++ new/bash-4.2-patches/bash42-048 2014-09-24 16:25:00.000000000 +0200
@@ -0,0 +1,104 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 4.2
+Patch-ID: bash42-048
+
+Bug-Reported-by: Stephane Chazelas <stephane.chaze...@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+Under certain circumstances, bash will execute user code while processing the
+environment for exported function definitions.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.2.47/builtins/common.h 2010-05-30 18:31:51.000000000 -0400
+--- builtins/common.h 2014-09-16 19:35:45.000000000 -0400
+***************
+*** 36,39 ****
+--- 36,41 ----
+
+ /* Flags for describe_command, shared between type.def and command.def */
++ #define SEVAL_FUNCDEF 0x080 /* only allow function
definitions */
++ #define SEVAL_ONECMD 0x100 /* only allow a single command */
+ #define CDESC_ALL 0x001 /* type -a */
+ #define CDESC_SHORTDESC 0x002 /* command -V */
+*** ../bash-4.2.47/builtins/evalstring.c 2010-11-23 08:22:15.000000000
-0500
+--- builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400
+***************
+*** 262,265 ****
+--- 262,273 ----
+ struct fd_bitmap *bitmap;
+
++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
++ {
++ internal_warning ("%s: ignoring function definition attempt",
from_file);
++ should_jump_to_top_level = 0;
++ last_result = last_command_exit_value = EX_BADUSAGE;
++ break;
++ }
++
+ bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+ begin_unwind_frame ("pe_dispose");
+***************
+*** 322,325 ****
+--- 330,336 ----
+ dispose_fd_bitmap (bitmap);
+ discard_unwind_frame ("pe_dispose");
++
++ if (flags & SEVAL_ONECMD)
++ break;
+ }
+ }
+*** ../bash-4.2.47/variables.c 2011-03-01 16:15:20.000000000 -0500
+--- variables.c 2014-09-16 19:35:45.000000000 -0400
+***************
+*** 348,357 ****
+ strcpy (temp_string + char_index + 1, string);
+
+! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+!
+! /* Ancient backwards compatibility. Old versions of bash exported
+! functions like name()=() {...} */
+! if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+! name[char_index - 2] = '\0';
+
+ if (temp_var = find_function (name))
+--- 348,355 ----
+ strcpy (temp_string + char_index + 1, string);
+
+! /* Don't import function names that are invalid identifiers from the
+! environment. */
+! if (legal_identifier (name))
+! parse_and_execute (temp_string, name,
SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+
+ if (temp_var = find_function (name))
+***************
+*** 362,369 ****
+ else
+ report_error (_("error importing function definition for `%s'"),
name);
+-
+- /* ( */
+- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+- name[char_index - 2] = '('; /* ) */
+ }
+ #if defined (ARRAY_VARS)
+--- 360,363 ----
+*** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010
+--- patchlevel.h Thu Feb 24 21:41:34 2011
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 47
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 48
+
+ #endif /* _PATCHLEVEL_H_ */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bash-4.2-patches/bash42-049
new/bash-4.2-patches/bash42-049
--- old/bash-4.2-patches/bash42-049 1970-01-01 01:00:00.000000000 +0100
+++ new/bash-4.2-patches/bash42-049 2014-09-28 19:54:50.000000000 +0200
@@ -0,0 +1,43 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 4.2
+Patch-ID: bash42-049
+
+Bug-Reported-by: Tavis Ormandy <tav...@cmpxchg8b.com>
+Bug-Reference-ID:
+Bug-Reference-URL: http://twitter.com/taviso/statuses/514887394294652929
+
+Bug-Description:
+
+Under certain circumstances, bash can incorrectly save a lookahead character
and
+return it on a subsequent call, even when reading a new line.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.2.48/parse.y 2012-12-31 11:52:57.000000000 -0500
+--- parse.y 2014-09-25 16:12:19.000000000 -0400
+***************
+*** 2851,2854 ****
+--- 2851,2856 ----
+ word_desc_to_read = (WORD_DESC *)NULL;
+
++ eol_ungetc_lookahead = 0;
++
+ current_token = '\n'; /* XXX */
+ last_read_token = '\n';
+*** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010
+--- patchlevel.h Thu Feb 24 21:41:34 2011
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 48
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 49
+
+ #endif /* _PATCHLEVEL_H_ */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bash-4.2-patches/bash42-050
new/bash-4.2-patches/bash42-050
--- old/bash-4.2-patches/bash42-050 1970-01-01 01:00:00.000000000 +0100
+++ new/bash-4.2-patches/bash42-050 2014-09-28 04:38:19.000000000 +0200
@@ -0,0 +1,217 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 4.2
+Patch-ID: bash42-050
+
+Bug-Reported-by: Florian Weimer <fwei...@redhat.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+This patch changes the encoding bash uses for exported functions to avoid
+clashes with shell variables and to avoid depending only on an environment
+variable's contents to determine whether or not to interpret it as a shell
+function.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.2.49/variables.c 2014-09-16 19:35:45.000000000 -0400
+--- variables.c 2014-09-27 20:54:00.000000000 -0400
+***************
+*** 80,83 ****
+--- 80,88 ----
+ #define ifsname(s) ((s)[0] == 'I' && (s)[1] == 'F' && (s)[2] == 'S' &&
(s)[3] == '\0')
+
++ #define BASHFUNC_PREFIX "BASH_FUNC_"
++ #define BASHFUNC_PREFLEN 10 /* == strlen(BASHFUNC_PREFIX */
++ #define BASHFUNC_SUFFIX "%%"
++ #define BASHFUNC_SUFFLEN 2 /* == strlen(BASHFUNC_SUFFIX) */
++
+ extern char **environ;
+
+***************
+*** 269,273 ****
+ static void dispose_temporary_env __P((sh_free_func_t *));
+
+! static inline char *mk_env_string __P((const char *, const char *));
+ static char **make_env_array_from_var_list __P((SHELL_VAR **));
+ static char **make_var_export_array __P((VAR_CONTEXT *));
+--- 274,278 ----
+ static void dispose_temporary_env __P((sh_free_func_t *));
+
+! static inline char *mk_env_string __P((const char *, const char *, int));
+ static char **make_env_array_from_var_list __P((SHELL_VAR **));
+ static char **make_var_export_array __P((VAR_CONTEXT *));
+***************
+*** 339,357 ****
+ /* If exported function, define it now. Don't import functions from
+ the environment in privileged mode. */
+! if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {",
string, 4))
+ {
+ string_length = strlen (string);
+! temp_string = (char *)xmalloc (3 + string_length + char_index);
+
+! strcpy (temp_string, name);
+! temp_string[char_index] = ' ';
+! strcpy (temp_string + char_index + 1, string);
+
+ /* Don't import function names that are invalid identifiers from the
+ environment. */
+! if (legal_identifier (name))
+! parse_and_execute (temp_string, name,
SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+
+! if (temp_var = find_function (name))
+ {
+ VSETATTR (temp_var, (att_exported|att_imported));
+--- 344,373 ----
+ /* If exported function, define it now. Don't import functions from
+ the environment in privileged mode. */
+! if (privmode == 0 && read_but_dont_execute == 0 &&
+! STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) &&
+! STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) &&
+! STREQN ("() {", string, 4))
+ {
++ size_t namelen;
++ char *tname; /* desired imported function name */
++
++ namelen = char_index - BASHFUNC_PREFLEN - BASHFUNC_SUFFLEN;
++
++ tname = name + BASHFUNC_PREFLEN; /* start of func name */
++ tname[namelen] = '\0'; /* now tname == func name */
++
+ string_length = strlen (string);
+! temp_string = (char *)xmalloc (namelen + string_length + 2);
+
+! memcpy (temp_string, tname, namelen);
+! temp_string[namelen] = ' ';
+! memcpy (temp_string + namelen + 1, string, string_length + 1);
+
+ /* Don't import function names that are invalid identifiers from the
+ environment. */
+! if (absolute_program (tname) == 0 && (posixly_correct == 0 ||
legal_identifier (tname)))
+! parse_and_execute (temp_string, tname,
SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+
+! if (temp_var = find_function (tname))
+ {
+ VSETATTR (temp_var, (att_exported|att_imported));
+***************
+*** 359,363 ****
+ }
+ else
+! report_error (_("error importing function definition for `%s'"),
name);
+ }
+ #if defined (ARRAY_VARS)
+--- 375,382 ----
+ }
+ else
+! report_error (_("error importing function definition for `%s'"),
tname);
+!
+! /* Restore original suffix */
+! tname[namelen] = BASHFUNC_SUFFIX[0];
+ }
+ #if defined (ARRAY_VARS)
+***************
+*** 2538,2542 ****
+
+ INVALIDATE_EXPORTSTR (var);
+! var->exportstr = mk_env_string (name, value);
+
+ array_needs_making = 1;
+--- 2557,2561 ----
+
+ INVALIDATE_EXPORTSTR (var);
+! var->exportstr = mk_env_string (name, value, 0);
+
+ array_needs_making = 1;
+***************
+*** 3390,3408 ****
+
+ static inline char *
+! mk_env_string (name, value)
+ const char *name, *value;
+ {
+! int name_len, value_len;
+! char *p;
+
+ name_len = strlen (name);
+ value_len = STRLEN (value);
+! p = (char *)xmalloc (2 + name_len + value_len);
+! strcpy (p, name);
+! p[name_len] = '=';
+ if (value && *value)
+! strcpy (p + name_len + 1, value);
+ else
+! p[name_len + 1] = '\0';
+ return (p);
+ }
+--- 3409,3448 ----
+
+ static inline char *
+! mk_env_string (name, value, isfunc)
+ const char *name, *value;
++ int isfunc;
+ {
+! size_t name_len, value_len;
+! char *p, *q;
+
+ name_len = strlen (name);
+ value_len = STRLEN (value);
+!
+! /* If we are exporting a shell function, construct the encoded function
+! name. */
+! if (isfunc && value)
+! {
+! p = (char *)xmalloc (BASHFUNC_PREFLEN + name_len + BASHFUNC_SUFFLEN +
value_len + 2);
+! q = p;
+! memcpy (q, BASHFUNC_PREFIX, BASHFUNC_PREFLEN);
+! q += BASHFUNC_PREFLEN;
+! memcpy (q, name, name_len);
+! q += name_len;
+! memcpy (q, BASHFUNC_SUFFIX, BASHFUNC_SUFFLEN);
+! q += BASHFUNC_SUFFLEN;
+! }
+! else
+! {
+! p = (char *)xmalloc (2 + name_len + value_len);
+! memcpy (p, name, name_len);
+! q = p + name_len;
+! }
+!
+! q[0] = '=';
+ if (value && *value)
+! memcpy (q + 1, value, value_len + 1);
+ else
+! q[1] = '\0';
+!
+ return (p);
+ }
+***************
+*** 3490,3494 ****
+ using the cached exportstr... */
+ list[list_index] = USE_EXPORTSTR ? savestring (value)
+! : mk_env_string (var->name, value);
+
+ if (USE_EXPORTSTR == 0)
+--- 3530,3534 ----
+ using the cached exportstr... */
+ list[list_index] = USE_EXPORTSTR ? savestring (value)
+! : mk_env_string (var->name, value,
function_p (var));
+
+ if (USE_EXPORTSTR == 0)
+*** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010
+--- patchlevel.h Thu Feb 24 21:41:34 2011
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 49
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 50
+
+ #endif /* _PATCHLEVEL_H_ */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bash-4.2-patches/bash42-051
new/bash-4.2-patches/bash42-051
--- old/bash-4.2-patches/bash42-051 1970-01-01 01:00:00.000000000 +0100
+++ new/bash-4.2-patches/bash42-051 2014-10-01 16:39:02.000000000 +0200
@@ -0,0 +1,173 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 4.2
+Patch-ID: bash42-051
+
+Bug-Reported-by: Florian Weimer <fwei...@redhat.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+There are two local buffer overflows in parse.y that can cause the shell
+to dump core when given many here-documents attached to a single command
+or many nested loops.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.2.50/parse.y 2014-09-27 12:18:53.000000000 -0400
+--- parse.y 2014-09-30 19:24:19.000000000 -0400
+***************
+*** 168,171 ****
+--- 168,174 ----
+ static int reserved_word_acceptable __P((int));
+ static int yylex __P((void));
++
++ static void push_heredoc __P((REDIRECT *));
++ static char *mk_alexpansion __P((char *));
+ static int alias_expand_token __P((char *));
+ static int time_command_acceptable __P((void));
+***************
+*** 265,269 ****
+ /* Variables to manage the task of reading here documents, because we need to
+ defer the reading until after a complete command has been collected. */
+! static REDIRECT *redir_stack[10];
+ int need_here_doc;
+
+--- 268,274 ----
+ /* Variables to manage the task of reading here documents, because we need to
+ defer the reading until after a complete command has been collected. */
+! #define HEREDOC_MAX 16
+!
+! static REDIRECT *redir_stack[HEREDOC_MAX];
+ int need_here_doc;
+
+***************
+*** 307,311 ****
+ index is decremented after a case, select, or for command is parsed. */
+ #define MAX_CASE_NEST 128
+! static int word_lineno[MAX_CASE_NEST];
+ static int word_top = -1;
+
+--- 312,316 ----
+ index is decremented after a case, select, or for command is parsed. */
+ #define MAX_CASE_NEST 128
+! static int word_lineno[MAX_CASE_NEST+1];
+ static int word_top = -1;
+
+***************
+*** 520,524 ****
+ redir.filename = $2;
+ $$ = make_redirection (source, r_reading_until,
redir, 0);
+! redir_stack[need_here_doc++] = $$;
+ }
+ | NUMBER LESS_LESS WORD
+--- 525,529 ----
+ redir.filename = $2;
+ $$ = make_redirection (source, r_reading_until,
redir, 0);
+! push_heredoc ($$);
+ }
+ | NUMBER LESS_LESS WORD
+***************
+*** 527,531 ****
+ redir.filename = $3;
+ $$ = make_redirection (source, r_reading_until,
redir, 0);
+! redir_stack[need_here_doc++] = $$;
+ }
+ | REDIR_WORD LESS_LESS WORD
+--- 532,536 ----
+ redir.filename = $3;
+ $$ = make_redirection (source, r_reading_until,
redir, 0);
+! push_heredoc ($$);
+ }
+ | REDIR_WORD LESS_LESS WORD
+***************
+*** 534,538 ****
+ redir.filename = $3;
+ $$ = make_redirection (source, r_reading_until,
redir, REDIR_VARASSIGN);
+! redir_stack[need_here_doc++] = $$;
+ }
+ | LESS_LESS_MINUS WORD
+--- 539,543 ----
+ redir.filename = $3;
+ $$ = make_redirection (source, r_reading_until,
redir, REDIR_VARASSIGN);
+! push_heredoc ($$);
+ }
+ | LESS_LESS_MINUS WORD
+***************
+*** 541,545 ****
+ redir.filename = $2;
+ $$ = make_redirection (source,
r_deblank_reading_until, redir, 0);
+! redir_stack[need_here_doc++] = $$;
+ }
+ | NUMBER LESS_LESS_MINUS WORD
+--- 546,550 ----
+ redir.filename = $2;
+ $$ = make_redirection (source,
r_deblank_reading_until, redir, 0);
+! push_heredoc ($$);
+ }
+ | NUMBER LESS_LESS_MINUS WORD
+***************
+*** 548,552 ****
+ redir.filename = $3;
+ $$ = make_redirection (source,
r_deblank_reading_until, redir, 0);
+! redir_stack[need_here_doc++] = $$;
+ }
+ | REDIR_WORD LESS_LESS_MINUS WORD
+--- 553,557 ----
+ redir.filename = $3;
+ $$ = make_redirection (source,
r_deblank_reading_until, redir, 0);
+! push_heredoc ($$);
+ }
+ | REDIR_WORD LESS_LESS_MINUS WORD
+***************
+*** 555,559 ****
+ redir.filename = $3;
+ $$ = make_redirection (source,
r_deblank_reading_until, redir, REDIR_VARASSIGN);
+! redir_stack[need_here_doc++] = $$;
+ }
+ | LESS_LESS_LESS WORD
+--- 560,564 ----
+ redir.filename = $3;
+ $$ = make_redirection (source,
r_deblank_reading_until, redir, REDIR_VARASSIGN);
+! push_heredoc ($$);
+ }
+ | LESS_LESS_LESS WORD
+***************
+*** 2534,2537 ****
+--- 2539,2557 ----
+ static int esacs_needed_count;
+
++ static void
++ push_heredoc (r)
++ REDIRECT *r;
++ {
++ if (need_here_doc >= HEREDOC_MAX)
++ {
++ last_command_exit_value = EX_BADUSAGE;
++ need_here_doc = 0;
++ report_syntax_error (_("maximum here-document count exceeded"));
++ reset_parser ();
++ exit_shell (last_command_exit_value);
++ }
++ redir_stack[need_here_doc++] = r;
++ }
++
+ void
+ gather_here_documents ()
+*** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010
+--- patchlevel.h Thu Feb 24 21:41:34 2011
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 50
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 51
+
+ #endif /* _PATCHLEVEL_H_ */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bash-4.2-patches/bash42-052
new/bash-4.2-patches/bash42-052
--- old/bash-4.2-patches/bash42-052 1970-01-01 01:00:00.000000000 +0100
+++ new/bash-4.2-patches/bash42-052 2014-10-03 04:14:47.000000000 +0200
@@ -0,0 +1,59 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 4.2
+Patch-ID: bash42-052
+
+Bug-Reported-by: Michal Zalewski <lcam...@coredump.cx>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+When bash is parsing a function definition that contains a here-document
+delimited by end-of-file (or end-of-string), it leaves the closing delimiter
+uninitialized. This can result in an invalid memory access when the parsed
+function is later copied.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.2.51/make_cmd.c 2009-09-11 17:26:12.000000000 -0400
+--- make_cmd.c 2014-10-02 11:26:58.000000000 -0400
+***************
+*** 690,693 ****
+--- 690,694 ----
+ temp->redirector = source;
+ temp->redirectee = dest_and_filename;
++ temp->here_doc_eof = 0;
+ temp->instruction = instruction;
+ temp->flags = 0;
+*** ../bash-4.2.51/copy_cmd.c 2009-09-11 16:28:02.000000000 -0400
+--- copy_cmd.c 2014-10-02 11:26:58.000000000 -0400
+***************
+*** 127,131 ****
+ case r_reading_until:
+ case r_deblank_reading_until:
+! new_redirect->here_doc_eof = savestring (redirect->here_doc_eof);
+ /*FALLTHROUGH*/
+ case r_reading_string:
+--- 127,131 ----
+ case r_reading_until:
+ case r_deblank_reading_until:
+! new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring
(redirect->here_doc_eof) : 0;
+ /*FALLTHROUGH*/
+ case r_reading_string:
+*** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010
+--- patchlevel.h Thu Feb 24 21:41:34 2011
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 51
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 52
+
+ #endif /* _PATCHLEVEL_H_ */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bash-4.2-patches/bash42-053
new/bash-4.2-patches/bash42-053
--- old/bash-4.2-patches/bash42-053 1970-01-01 01:00:00.000000000 +0100
+++ new/bash-4.2-patches/bash42-053 2014-10-06 01:01:26.000000000 +0200
@@ -0,0 +1,132 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 4.2
+Patch-ID: bash42-053
+
+Bug-Reported-by: Michal Zalewski <lcam...@coredump.cx>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+A combination of nested command substitutions and function importing from
+the environment can cause bash to execute code appearing in the environment
+variable value following the function definition.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.2.52/builtins/evalstring.c 2014-09-16 19:35:45.000000000
-0400
+--- builtins/evalstring.c 2014-10-04 15:00:26.000000000 -0400
+***************
+*** 262,271 ****
+ struct fd_bitmap *bitmap;
+
+! if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+ {
+! internal_warning ("%s: ignoring function definition attempt",
from_file);
+! should_jump_to_top_level = 0;
+! last_result = last_command_exit_value = EX_BADUSAGE;
+! break;
+ }
+
+--- 262,284 ----
+ struct fd_bitmap *bitmap;
+
+! if (flags & SEVAL_FUNCDEF)
+ {
+! char *x;
+!
+! /* If the command parses to something other than a straight
+! function definition, or if we have not consumed the entire
+! string, or if the parser has transformed the function
+! name (as parsing will if it begins or ends with shell
+! whitespace, for example), reject the attempt */
+! if (command->type != cm_function_def ||
+! ((x = parser_remaining_input ()) && *x) ||
+! (STREQ (from_file,
command->value.Function_def->name->word) == 0))
+! {
+! internal_warning (_("%s: ignoring function definition
attempt"), from_file);
+! should_jump_to_top_level = 0;
+! last_result = last_command_exit_value = EX_BADUSAGE;
+! reset_parser ();
+! break;
+! }
+ }
+
+***************
+*** 332,336 ****
+
+ if (flags & SEVAL_ONECMD)
+! break;
+ }
+ }
+--- 345,352 ----
+
+ if (flags & SEVAL_ONECMD)
+! {
+! reset_parser ();
+! break;
+! }
+ }
+ }
+*** ../bash-4.2.52/parse.y 2014-09-30 19:24:19.000000000 -0400
+--- parse.y 2014-10-04 15:00:26.000000000 -0400
+***************
+*** 2436,2439 ****
+--- 2436,2449 ----
+ }
+
++ char *
++ parser_remaining_input ()
++ {
++ if (shell_input_line == 0)
++ return 0;
++ if (shell_input_line_index < 0 || shell_input_line_index >=
shell_input_line_len)
++ return '\0'; /* XXX */
++ return (shell_input_line + shell_input_line_index);
++ }
++
+ #ifdef INCLUDE_UNUSED
+ /* Back the input pointer up by one, effectively `ungetting' a character. */
+***************
+*** 3891,3896 ****
+ /* reset_parser clears shell_input_line and associated variables */
+ restore_input_line_state (&ls);
+! if (interactive)
+! token_to_read = 0;
+
+ /* Need to find how many characters parse_and_execute consumed, update
+--- 3901,3906 ----
+ /* reset_parser clears shell_input_line and associated variables */
+ restore_input_line_state (&ls);
+!
+! token_to_read = 0;
+
+ /* Need to find how many characters parse_and_execute consumed, update
+*** ../bash-4.2.52/shell.h 2011-11-21 18:03:32.000000000 -0500
+--- shell.h 2014-10-04 15:00:26.000000000 -0400
+***************
+*** 178,181 ****
+--- 178,183 ----
+
+ /* Let's try declaring these here. */
++ extern char *parser_remaining_input __P((void));
++
+ extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));
+ extern void restore_parser_state __P((sh_parser_state_t *));
+*** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010
+--- patchlevel.h Thu Feb 24 21:41:34 2011
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 52
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 53
+
+ #endif /* _PATCHLEVEL_H_ */
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
