On Mon, Sep 29, 2014 at 11:45:10AM +0200, Bruno Thomsen wrote: > Fix CVE-2014-7169. > Applied patches 53 and 54 from version 3.2. > > Signed-off-by: Bruno Thomsen <[email protected]>
Thanks. I've applied both patches. Michael > --- > patches/bash-3.2.48/0005-bash-3.2-patch53.patch | 51 +++++++ > patches/bash-3.2.48/0006-bash-3.2-patch54.patch | 185 > ++++++++++++++++++++++++ > patches/bash-3.2.48/series | 2 + > 3 files changed, 238 insertions(+) > create mode 100644 patches/bash-3.2.48/0005-bash-3.2-patch53.patch > create mode 100644 patches/bash-3.2.48/0006-bash-3.2-patch54.patch > > diff --git a/patches/bash-3.2.48/0005-bash-3.2-patch53.patch > b/patches/bash-3.2.48/0005-bash-3.2-patch53.patch > new file mode 100644 > index 0000000..cad5435 > --- /dev/null > +++ b/patches/bash-3.2.48/0005-bash-3.2-patch53.patch > @@ -0,0 +1,51 @@ > +From bb47ebbc22117d0dfcff43734b5eeb293b4249e7 Mon Sep 17 00:00:00 2001 > +From: Bruno Thomsen <[email protected]> > +Date: Mon, 29 Sep 2014 10:18:41 +0200 > +Subject: [PATCH] bash-3.2: patch 53 > + > +Bash-Release: 3.2 > +Patch-ID: bash32-053 > + > +Bug-Reported-by: Tavis Ormandy <[email protected]> > +Bug-Reference-ID: > +Bug-Reference-URL: http://twitter.com/taviso/statuses/514887394294652929 > + > +Bug-Description: > + > +Under certain circumstances, bash can incorrectly save a lookahead character > and > +return it on a subsequent call, even when reading a new line. > + > +Signed-off-by: Bruno Thomsen <[email protected]> > +--- > + parse.y | 2 ++ > + patchlevel.h | 2 +- > + 2 files changed, 3 insertions(+), 1 deletion(-) > + > +diff --git a/parse.y b/parse.y > +index 8a2b081..6cb2bce 100644 > +--- a/parse.y > ++++ b/parse.y > +@@ -2503,6 +2503,8 @@ reset_parser () > + FREE (word_desc_to_read); > + word_desc_to_read = (WORD_DESC *)NULL; > + > ++ eol_ungetc_lookahead = 0; > ++ > + last_read_token = '\n'; > + token_to_read = '\n'; > + } > +diff --git a/patchlevel.h b/patchlevel.h > +index a2d65b2..e5d74f3 100644 > +--- a/patchlevel.h > ++++ b/patchlevel.h > +@@ -25,6 +25,6 @@ > + regexp `^#define[ ]*PATCHLEVEL', since that's what > support/mkversion.sh > + looks for to find the patch level (for the sccs version string). */ > + > +-#define PATCHLEVEL 52 > ++#define PATCHLEVEL 53 > + > + #endif /* _PATCHLEVEL_H_ */ > +-- > +1.9.1 > + > diff --git a/patches/bash-3.2.48/0006-bash-3.2-patch54.patch > b/patches/bash-3.2.48/0006-bash-3.2-patch54.patch > new file mode 100644 > index 0000000..0b7e14d > --- /dev/null > +++ b/patches/bash-3.2.48/0006-bash-3.2-patch54.patch > @@ -0,0 +1,185 @@ > +From 3daa4e268f15c66675cccc4e17c901194ca19199 Mon Sep 17 00:00:00 2001 > +From: Bruno Thomsen <[email protected]> > +Date: Mon, 29 Sep 2014 10:36:58 +0200 > +Subject: [PATCH] bash-3.2: patch 54 > + > +Bash-Release: 3.2 > +Patch-ID: bash32-054 > + > +Bug-Reported-by: Florian Weimer <[email protected]> > +Bug-Reference-ID: > +Bug-Reference-URL: > + > +Bug-Description: > + > +This patch changes the encoding bash uses for exported functions to avoid > +clashes with shell variables and to avoid depending only on an environment > +variable's contents to determine whether or not to interpret it as a shell > +function. > + > +Signed-off-by: Bruno Thomsen <[email protected]> > +--- > + patchlevel.h | 2 +- > + variables.c | 80 > +++++++++++++++++++++++++++++++++++++++++++++--------------- > + 2 files changed, 61 insertions(+), 21 deletions(-) > + > +diff --git a/patchlevel.h b/patchlevel.h > +index e5d74f3..d449c7c 100644 > +--- a/patchlevel.h > ++++ b/patchlevel.h > +@@ -25,6 +25,6 @@ > + regexp `^#define[ ]*PATCHLEVEL', since that's what > support/mkversion.sh > + looks for to find the patch level (for the sccs version string). */ > + > +-#define PATCHLEVEL 53 > ++#define PATCHLEVEL 54 > + > + #endif /* _PATCHLEVEL_H_ */ > +diff --git a/variables.c b/variables.c > +index eb80326..76501cf 100644 > +--- a/variables.c > ++++ b/variables.c > +@@ -74,6 +74,11 @@ > + > + #define ifsname(s) ((s)[0] == 'I' && (s)[1] == 'F' && (s)[2] == 'S' && > (s)[3] == '\0') > + > ++#define BASHFUNC_PREFIX "BASH_FUNC_" > ++#define BASHFUNC_PREFLEN 10 /* == strlen(BASHFUNC_PREFIX */ > ++#define BASHFUNC_SUFFIX "%%" > ++#define BASHFUNC_SUFFLEN 2 /* == strlen(BASHFUNC_SUFFIX) */ > ++ > + extern char **environ; > + > + /* Variables used here and defined in other files. */ > +@@ -241,7 +246,7 @@ static void push_temp_var __P((PTR_T)); > + static void propagate_temp_var __P((PTR_T)); > + static void dispose_temporary_env __P((sh_free_func_t *)); > + > +-static inline char *mk_env_string __P((const char *, const char *)); > ++static inline char *mk_env_string __P((const char *, const char *, int)); > + static char **make_env_array_from_var_list __P((SHELL_VAR **)); > + static char **make_var_export_array __P((VAR_CONTEXT *)); > + static char **make_func_export_array __P((void)); > +@@ -309,27 +314,41 @@ initialize_shell_variables (env, privmode) > + > + /* If exported function, define it now. Don't import functions from > + the environment in privileged mode. */ > +- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", > string, 4)) > ++ if (privmode == 0 && read_but_dont_execute == 0 && > ++ STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) && > ++ STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) && > ++ STREQN ("() {", string, 4)) > + { > ++ size_t namelen; > ++ char *tname; /* desired imported function name */ > ++ > ++ namelen = char_index - BASHFUNC_PREFLEN - BASHFUNC_SUFFLEN; > ++ > ++ tname = name + BASHFUNC_PREFLEN; /* start of func name */ > ++ tname[namelen] = '\0'; /* now tname == func name */ > ++ > + string_length = strlen (string); > +- temp_string = (char *)xmalloc (3 + string_length + char_index); > ++ temp_string = (char *)xmalloc (namelen + string_length + 2); > + > +- strcpy (temp_string, name); > +- temp_string[char_index] = ' '; > +- strcpy (temp_string + char_index + 1, string); > ++ memcpy (temp_string, tname, namelen); > ++ temp_string[namelen] = ' '; > ++ memcpy (temp_string + namelen + 1, string, string_length + 1); > + > + /* Don't import function names that are invalid identifiers from the > + environment. */ > +- if (legal_identifier (name)) > +- parse_and_execute (temp_string, name, > SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); > ++ if (absolute_program (tname) == 0 && (posixly_correct == 0 || > legal_identifier (tname))) > ++ parse_and_execute (temp_string, tname, > SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); > + > +- if (temp_var = find_function (name)) > ++ if (temp_var = find_function (tname)) > + { > + VSETATTR (temp_var, (att_exported|att_imported)); > + array_needs_making = 1; > + } > + else > +- report_error (_("error importing function definition for `%s'"), > name); > ++ report_error (_("error importing function definition for `%s'"), > tname); > ++ > ++ /* Restore original suffix */ > ++ tname[namelen] = BASHFUNC_SUFFIX[0]; > + } > + #if defined (ARRAY_VARS) > + # if 0 > +@@ -2207,7 +2226,7 @@ assign_in_env (word) > + var->context = variable_context; /* XXX */ > + > + INVALIDATE_EXPORTSTR (var); > +- var->exportstr = mk_env_string (name, value); > ++ var->exportstr = mk_env_string (name, value, 0); > + > + array_needs_making = 1; > + > +@@ -2998,21 +3017,42 @@ merge_temporary_env () > + /* **************************************************************** */ > + > + static inline char * > +-mk_env_string (name, value) > ++mk_env_string (name, value, isfunc) > + const char *name, *value; > ++ int isfunc; > + { > +- int name_len, value_len; > +- char *p; > ++ size_t name_len, value_len; > ++ char *p, *q; > + > + name_len = strlen (name); > + value_len = STRLEN (value); > +- p = (char *)xmalloc (2 + name_len + value_len); > +- strcpy (p, name); > +- p[name_len] = '='; > ++ > ++ /* If we are exporting a shell function, construct the encoded function > ++ name. */ > ++ if (isfunc && value) > ++ { > ++ p = (char *)xmalloc (BASHFUNC_PREFLEN + name_len + BASHFUNC_SUFFLEN + > value_len + 2); > ++ q = p; > ++ memcpy (q, BASHFUNC_PREFIX, BASHFUNC_PREFLEN); > ++ q += BASHFUNC_PREFLEN; > ++ memcpy (q, name, name_len); > ++ q += name_len; > ++ memcpy (q, BASHFUNC_SUFFIX, BASHFUNC_SUFFLEN); > ++ q += BASHFUNC_SUFFLEN; > ++ } > ++ else > ++ { > ++ p = (char *)xmalloc (2 + name_len + value_len); > ++ memcpy (p, name, name_len); > ++ q = p + name_len; > ++ } > ++ > ++ q[0] = '='; > + if (value && *value) > +- strcpy (p + name_len + 1, value); > ++ memcpy (q + 1, value, value_len + 1); > + else > +- p[name_len + 1] = '\0'; > ++ q[1] = '\0'; > ++ > + return (p); > + } > + > +@@ -3087,7 +3127,7 @@ make_env_array_from_var_list (vars) > + /* Gee, I'd like to get away with not using savestring() if we're > + using the cached exportstr... */ > + list[list_index] = USE_EXPORTSTR ? savestring (value) > +- : mk_env_string (var->name, value); > ++ : mk_env_string (var->name, value, > function_p (var)); > + > + if (USE_EXPORTSTR == 0) > + SAVE_EXPORTSTR (var, list[list_index]); > +-- > +1.9.1 > + > diff --git a/patches/bash-3.2.48/series b/patches/bash-3.2.48/series > index 0ede824..9ae2d65 100644 > --- a/patches/bash-3.2.48/series > +++ b/patches/bash-3.2.48/series > @@ -2,3 +2,5 @@ > 0002-bash-3.2-patch50.patch > 0003-bash-3.2-patch51.patch > 0004-bash-3.2-patch52.patch > +0005-bash-3.2-patch53.patch > +0006-bash-3.2-patch54.patch > -- > 1.9.1 > > > -- > ptxdist mailing list > [email protected] > -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | -- ptxdist mailing list [email protected]
