From 973a4156ec581e6534722e5022469ec47d1e2610 Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Mon, 15 Sep 2014 08:52:55 +0000 Subject: [PATCH 1/5] . OBS-URL: https://build.opensuse.org/package/show/Base:System/bash?expand=0&rev=170 --- bash-4.2-error-getpwd.patch | 16 ++++++++++++++++ bash.changes | 7 +++++++ bash.spec | 3 +++ 3 files changed, 26 insertions(+) create mode 100644 bash-4.2-error-getpwd.patch diff --git a/bash-4.2-error-getpwd.patch b/bash-4.2-error-getpwd.patch new file mode 100644 index 00000000..2e8a501f --- /dev/null +++ b/bash-4.2-error-getpwd.patch @@ -0,0 +1,16 @@ +Backport of the corrected error message for a failing getpwd (bnc#895475) +--- + po/de.po | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- po/de.po ++++ po/de.po 2014-09-15 08:46:03.482235134 +0000 +@@ -267,7 +267,7 @@ msgstr "Fehler beim Ermitteln der Termin + #: builtins/common.c:563 + #, c-format + msgid "%s: error retrieving current directory: %s: %s\n" +-msgstr "%s: Kann das nicht aktuelle Verzeichnis wiederfinden: %s: %s\n" ++msgstr "%s: Kann das aktuelle Verzeichnis nicht wiederfinden: %s: %s\n" + + #: builtins/common.c:629 builtins/common.c:631 + #, c-format diff --git a/bash.changes b/bash.changes index edaca38c..1bc1351b 100644 --- a/bash.changes +++ b/bash.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Sep 15 08:52:13 UTC 2014 - werner@suse.de + +- Add patch bash-4.2-error-getpwd.patch + which is the backport of the corrected german error message for + a failing getpwd (bnc#895475) + ------------------------------------------------------------------- Sun Jun 29 13:24:47 UTC 2014 - schwab@linux-m68k.org diff --git a/bash.spec b/bash.spec index c50f2e3c..e5533022 100644 --- a/bash.spec +++ b/bash.spec @@ -93,6 +93,8 @@ Patch27: readline-6.2-xmalloc.dif Patch30: readline-6.2-destdir.patch Patch31: readline-6.2-rltrace.patch Patch40: bash-4.1-bash.bashrc.dif +# PATCH-FIX-UPSTREAM bnc#895475 -- locale de_DE.utf8 has wrong translations +Patch41: bash-4.2-error-getpwd.patch Patch42: audit-patch Patch43: audit-rl-patch Patch46: man2html-no-timestamp.patch @@ -312,6 +314,7 @@ done %patch26 -p0 -b .msgdy %patch31 -p0 -b .tmp %patch40 -p0 -b .bashrc +%patch41 -p0 -b .errgetpwd %if 0%suse_version >= 1100 %patch42 -p1 -b .audit %endif From 38da77acf122dbb44c98d16b2c0c6686bbd74acc Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Wed, 24 Sep 2014 14:40:50 +0000 Subject: [PATCH 2/5] . OBS-URL: https://build.opensuse.org/package/show/Base:System/bash?expand=0&rev=171 --- bash-4.2-CVE-2014-6271.patch | 74 ++++++++++++++++++++++++++++++++++++ bash.changes | 7 ++++ bash.spec | 3 ++ 3 files changed, 84 insertions(+) create mode 100644 bash-4.2-CVE-2014-6271.patch diff --git a/bash-4.2-CVE-2014-6271.patch b/bash-4.2-CVE-2014-6271.patch new file mode 100644 index 00000000..3865d07e --- /dev/null +++ b/bash-4.2-CVE-2014-6271.patch @@ -0,0 +1,74 @@ +--- + builtins/common.h | 2 ++ + builtins/evalstring.c | 11 +++++++++++ + variables.c | 14 ++++---------- + 3 files changed, 17 insertions(+), 10 deletions(-) + +--- builtins/common.h ++++ builtins/common.h 2014-09-16 23:35:45.000000000 +0000 +@@ -35,6 +35,8 @@ + #define SEVAL_NOLONGJMP 0x040 + + /* Flags for describe_command, shared between type.def and command.def */ ++#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ ++#define SEVAL_ONECMD 0x100 /* only allow a single command */ + #define CDESC_ALL 0x001 /* type -a */ + #define CDESC_SHORTDESC 0x002 /* command -V */ + #define CDESC_REUSABLE 0x004 /* command -v */ +--- builtins/evalstring.c ++++ builtins/evalstring.c 2014-09-16 23:35:45.000000000 +0000 +@@ -261,6 +261,14 @@ parse_and_execute (string, from_file, fl + { + struct fd_bitmap *bitmap; + ++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) ++ { ++ internal_warning ("%s: ignoring function definition attempt", from_file); ++ should_jump_to_top_level = 0; ++ last_result = last_command_exit_value = EX_BADUSAGE; ++ break; ++ } ++ + bitmap = new_fd_bitmap (FD_BITMAP_SIZE); + begin_unwind_frame ("pe_dispose"); + add_unwind_protect (dispose_fd_bitmap, bitmap); +@@ -321,6 +329,9 @@ parse_and_execute (string, from_file, fl + dispose_command (command); + dispose_fd_bitmap (bitmap); + discard_unwind_frame ("pe_dispose"); ++ ++ if (flags & SEVAL_ONECMD) ++ break; + } + } + else +--- variables.c ++++ variables.c 2014-09-16 23:35:45.000000000 +0000 +@@ -347,12 +347,10 @@ initialize_shell_variables (env, privmod + temp_string[char_index] = ' '; + strcpy (temp_string + char_index + 1, string); + +- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); +- +- /* Ancient backwards compatibility. Old versions of bash exported +- functions like name()=() {...} */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '(') +- name[char_index - 2] = '\0'; ++ /* Don't import function names that are invalid identifiers from the ++ environment. */ ++ if (legal_identifier (name)) ++ parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + + if (temp_var = find_function (name)) + { +@@ -361,10 +359,6 @@ initialize_shell_variables (env, privmod + } + else + report_error (_("error importing function definition for `%s'"), name); +- +- /* ( */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') +- name[char_index - 2] = '('; /* ) */ + } + #if defined (ARRAY_VARS) + # if 0 diff --git a/bash.changes b/bash.changes index 1bc1351b..9bcb2dce 100644 --- a/bash.changes +++ b/bash.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Sep 18 12:10:17 UTC 2014 - werner@suse.de + +- Add bash-4.2-CVE-2014-6271.patch + to fix CVE-2014-6271, the unexpected code execution with + environment variables (bnc#896776) + ------------------------------------------------------------------- Mon Sep 15 08:52:13 UTC 2014 - werner@suse.de diff --git a/bash.spec b/bash.spec index e5533022..229898ab 100644 --- a/bash.spec +++ b/bash.spec @@ -99,6 +99,8 @@ Patch42: audit-patch Patch43: audit-rl-patch Patch46: man2html-no-timestamp.patch Patch47: config-guess-sub-update.patch +# PATCH-FIX-UPSTREAM bnc#895475 -- bnc#896776, CVE-2014-6271: unexpected code execution with environment variables +Patch48: bash-4.2-CVE-2014-6271.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %global _sysconfdir /etc %global _incdir %{_includedir} @@ -320,6 +322,7 @@ done %endif %patch46 -p0 -b .notimestamp %patch47 +#%patch48 -p2 %patch0 -p0 -b .0 pushd ../readline-%{rl_vers}%{extend} for patch in ../readline-%{rl_vers}-patches/*; do From 0b62ca201a8f48d58fbb750486e03df3156ee2ca Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Wed, 24 Sep 2014 15:38:54 +0000 Subject: [PATCH 3/5] . OBS-URL: https://build.opensuse.org/package/show/Base:System/bash?expand=0&rev=172 --- bash.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bash.spec b/bash.spec index 229898ab..0ab9139e 100644 --- a/bash.spec +++ b/bash.spec @@ -322,7 +322,7 @@ done %endif %patch46 -p0 -b .notimestamp %patch47 -#%patch48 -p2 +%patch48 -p2 %patch0 -p0 -b .0 pushd ../readline-%{rl_vers}%{extend} for patch in ../readline-%{rl_vers}-patches/*; do From 4a2b782a396a2d8f56ae2ad7c56159d313093577 Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Wed, 24 Sep 2014 15:41:53 +0000 Subject: [PATCH 4/5] . OBS-URL: https://build.opensuse.org/package/show/Base:System/bash?expand=0&rev=173 --- bash.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bash.spec b/bash.spec index 0ab9139e..e6002932 100644 --- a/bash.spec +++ b/bash.spec @@ -322,7 +322,7 @@ done %endif %patch46 -p0 -b .notimestamp %patch47 -%patch48 -p2 +%patch48 -p0 %patch0 -p0 -b .0 pushd ../readline-%{rl_vers}%{extend} for patch in ../readline-%{rl_vers}-patches/*; do From 9d9952ff2b6f3f595b812b20ff6f1a29b5e03638 Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Wed, 24 Sep 2014 15:43:57 +0000 Subject: [PATCH 5/5] . OBS-URL: https://build.opensuse.org/package/show/Base:System/bash?expand=0&rev=174 --- bash-4.2-CVE-2014-6271.patch | 57 ++++++++++++++++-------------------- bash.spec | 2 +- 2 files changed, 26 insertions(+), 33 deletions(-) diff --git a/bash-4.2-CVE-2014-6271.patch b/bash-4.2-CVE-2014-6271.patch index 3865d07e..4522da9a 100644 --- a/bash-4.2-CVE-2014-6271.patch +++ b/bash-4.2-CVE-2014-6271.patch @@ -1,23 +1,19 @@ ---- - builtins/common.h | 2 ++ - builtins/evalstring.c | 11 +++++++++++ - variables.c | 14 ++++---------- - 3 files changed, 17 insertions(+), 10 deletions(-) - ---- builtins/common.h -+++ builtins/common.h 2014-09-16 23:35:45.000000000 +0000 -@@ -35,6 +35,8 @@ +diff -ur a/bash/builtins/common.h b/bash/builtins/common.h +--- a/bash/builtins/common.h 2010-05-31 00:31:51.000000000 +0200 ++++ b/bash/builtins/common.h 2014-09-16 21:36:20.139826595 +0200 +@@ -33,6 +33,8 @@ + #define SEVAL_RESETLINE 0x010 + #define SEVAL_PARSEONLY 0x020 #define SEVAL_NOLONGJMP 0x040 - - /* Flags for describe_command, shared between type.def and command.def */ +#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ +#define SEVAL_ONECMD 0x100 /* only allow a single command */ + + /* Flags for describe_command, shared between type.def and command.def */ #define CDESC_ALL 0x001 /* type -a */ - #define CDESC_SHORTDESC 0x002 /* command -V */ - #define CDESC_REUSABLE 0x004 /* command -v */ ---- builtins/evalstring.c -+++ builtins/evalstring.c 2014-09-16 23:35:45.000000000 +0000 -@@ -261,6 +261,14 @@ parse_and_execute (string, from_file, fl +diff -ur a/bash/builtins/evalstring.c b/bash/builtins/evalstring.c +--- a/bash/builtins/evalstring.c 2010-11-23 14:22:15.000000000 +0100 ++++ b/bash/builtins/evalstring.c 2014-09-16 21:36:20.139826595 +0200 +@@ -261,6 +261,14 @@ { struct fd_bitmap *bitmap; @@ -32,7 +28,7 @@ bitmap = new_fd_bitmap (FD_BITMAP_SIZE); begin_unwind_frame ("pe_dispose"); add_unwind_protect (dispose_fd_bitmap, bitmap); -@@ -321,6 +329,9 @@ parse_and_execute (string, from_file, fl +@@ -321,6 +329,9 @@ dispose_command (command); dispose_fd_bitmap (bitmap); discard_unwind_frame ("pe_dispose"); @@ -42,26 +38,23 @@ } } else ---- variables.c -+++ variables.c 2014-09-16 23:35:45.000000000 +0000 -@@ -347,12 +347,10 @@ initialize_shell_variables (env, privmod +diff -ur a/bash/variables.c b/bash/variables.c +--- a/bash/variables.c 2014-09-16 21:35:34.878850652 +0200 ++++ b/bash/variables.c 2014-09-16 21:37:16.221034763 +0200 +@@ -347,7 +347,11 @@ temp_string[char_index] = ' '; strcpy (temp_string + char_index + 1, string); - parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); -- -- /* Ancient backwards compatibility. Old versions of bash exported -- functions like name()=() {...} */ -- if (name[char_index - 1] == ')' && name[char_index - 2] == '(') -- name[char_index - 2] = '\0'; -+ /* Don't import function names that are invalid identifiers from the -+ environment. */ -+ if (legal_identifier (name)) -+ parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); ++ /* Don't import function names that are invalid identifiers from the ++ environment, though we still allow them to be defined as shell ++ variables. */ ++ if (legal_identifier (name)) ++ parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); - if (temp_var = find_function (name)) - { -@@ -361,10 +359,6 @@ initialize_shell_variables (env, privmod + /* Ancient backwards compatibility. Old versions of bash exported + functions like name()=() {...} */ +@@ -361,10 +365,6 @@ } else report_error (_("error importing function definition for `%s'"), name); diff --git a/bash.spec b/bash.spec index e6002932..0ab9139e 100644 --- a/bash.spec +++ b/bash.spec @@ -322,7 +322,7 @@ done %endif %patch46 -p0 -b .notimestamp %patch47 -%patch48 -p0 +%patch48 -p2 %patch0 -p0 -b .0 pushd ../readline-%{rl_vers}%{extend} for patch in ../readline-%{rl_vers}-patches/*; do