diff --git a/bash-4.2-CVE-2014-6271.patch b/bash-4.2-CVE-2014-6271.patch new file mode 100644 index 00000000..3865d07e --- /dev/null +++ b/bash-4.2-CVE-2014-6271.patch @@ -0,0 +1,74 @@ +--- + builtins/common.h | 2 ++ + builtins/evalstring.c | 11 +++++++++++ + variables.c | 14 ++++---------- + 3 files changed, 17 insertions(+), 10 deletions(-) + +--- builtins/common.h ++++ builtins/common.h 2014-09-16 23:35:45.000000000 +0000 +@@ -35,6 +35,8 @@ + #define SEVAL_NOLONGJMP 0x040 + + /* Flags for describe_command, shared between type.def and command.def */ ++#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ ++#define SEVAL_ONECMD 0x100 /* only allow a single command */ + #define CDESC_ALL 0x001 /* type -a */ + #define CDESC_SHORTDESC 0x002 /* command -V */ + #define CDESC_REUSABLE 0x004 /* command -v */ +--- builtins/evalstring.c ++++ builtins/evalstring.c 2014-09-16 23:35:45.000000000 +0000 +@@ -261,6 +261,14 @@ parse_and_execute (string, from_file, fl + { + struct fd_bitmap *bitmap; + ++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) ++ { ++ internal_warning ("%s: ignoring function definition attempt", from_file); ++ should_jump_to_top_level = 0; ++ last_result = last_command_exit_value = EX_BADUSAGE; ++ break; ++ } ++ + bitmap = new_fd_bitmap (FD_BITMAP_SIZE); + begin_unwind_frame ("pe_dispose"); + add_unwind_protect (dispose_fd_bitmap, bitmap); +@@ -321,6 +329,9 @@ parse_and_execute (string, from_file, fl + dispose_command (command); + dispose_fd_bitmap (bitmap); + discard_unwind_frame ("pe_dispose"); ++ ++ if (flags & SEVAL_ONECMD) ++ break; + } + } + else +--- variables.c ++++ variables.c 2014-09-16 23:35:45.000000000 +0000 +@@ -347,12 +347,10 @@ initialize_shell_variables (env, privmod + temp_string[char_index] = ' '; + strcpy (temp_string + char_index + 1, string); + +- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); +- +- /* Ancient backwards compatibility. Old versions of bash exported +- functions like name()=() {...} */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '(') +- name[char_index - 2] = '\0'; ++ /* Don't import function names that are invalid identifiers from the ++ environment. */ ++ if (legal_identifier (name)) ++ parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + + if (temp_var = find_function (name)) + { +@@ -361,10 +359,6 @@ initialize_shell_variables (env, privmod + } + else + report_error (_("error importing function definition for `%s'"), name); +- +- /* ( */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') +- name[char_index - 2] = '('; /* ) */ + } + #if defined (ARRAY_VARS) + # if 0 diff --git a/bash.changes b/bash.changes index 1bc1351b..9bcb2dce 100644 --- a/bash.changes +++ b/bash.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Sep 18 12:10:17 UTC 2014 - werner@suse.de + +- Add bash-4.2-CVE-2014-6271.patch + to fix CVE-2014-6271, the unexpected code execution with + environment variables (bnc#896776) + ------------------------------------------------------------------- Mon Sep 15 08:52:13 UTC 2014 - werner@suse.de diff --git a/bash.spec b/bash.spec index e5533022..229898ab 100644 --- a/bash.spec +++ b/bash.spec @@ -99,6 +99,8 @@ Patch42: audit-patch Patch43: audit-rl-patch Patch46: man2html-no-timestamp.patch Patch47: config-guess-sub-update.patch +# PATCH-FIX-UPSTREAM bnc#895475 -- bnc#896776, CVE-2014-6271: unexpected code execution with environment variables +Patch48: bash-4.2-CVE-2014-6271.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %global _sysconfdir /etc %global _incdir %{_includedir} @@ -320,6 +322,7 @@ done %endif %patch46 -p0 -b .notimestamp %patch47 +#%patch48 -p2 %patch0 -p0 -b .0 pushd ../readline-%{rl_vers}%{extend} for patch in ../readline-%{rl_vers}-patches/*; do