From 8e99efa814c8244daa5ededdab2d30d102c007b3 Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Fri, 26 Sep 2014 12:41:56 +0000 Subject: [PATCH] . OBS-URL: https://build.opensuse.org/package/show/Base:System/bash?expand=0&rev=175 --- bash-4.2-BSC898604.patch | 147 +++++++++++++++++++++++++++++++++++ bash-4.2-CVE-2014-6271.patch | 139 +++++++++++++++++---------------- bash-4.2-CVE-2014-7169.patch | 11 +++ bash-4.2-CVE-2014-7187.patch | 85 ++++++++++++++++++++ bash.changes | 11 +++ bash.spec | 6 ++ 6 files changed, 332 insertions(+), 67 deletions(-) create mode 100644 bash-4.2-BSC898604.patch create mode 100644 bash-4.2-CVE-2014-7169.patch create mode 100644 bash-4.2-CVE-2014-7187.patch diff --git a/bash-4.2-BSC898604.patch b/bash-4.2-BSC898604.patch new file mode 100644 index 00000000..8d132484 --- /dev/null +++ b/bash-4.2-BSC898604.patch @@ -0,0 +1,147 @@ +--- ../bash-4.2-orig/variables.c 2014-09-25 13:07:59.313209541 +0200 ++++ variables.c 2014-09-25 13:15:29.869420719 +0200 +@@ -268,7 +268,7 @@ + static void propagate_temp_var __P((PTR_T)); + static void dispose_temporary_env __P((sh_free_func_t *)); + +-static inline char *mk_env_string __P((const char *, const char *)); ++static inline char *mk_env_string __P((const char *, const char *, int)); + static char **make_env_array_from_var_list __P((SHELL_VAR **)); + static char **make_var_export_array __P((VAR_CONTEXT *)); + static char **make_func_export_array __P((void)); +@@ -301,6 +301,14 @@ + #endif + } + ++/* Prefix and suffix for environment variable names which contain ++ shell functions. */ ++#define FUNCDEF_PREFIX "BASH_FUNC_" ++#define FUNCDEF_PREFIX_LEN (strlen (FUNCDEF_PREFIX)) ++#define FUNCDEF_SUFFIX "()" ++#define FUNCDEF_SUFFIX_LEN (strlen (FUNCDEF_SUFFIX)) ++ ++ + /* Initialize the shell variables from the current environment. + If PRIVMODE is nonzero, don't import functions from ENV or + parse $SHELLOPTS. */ +@@ -338,27 +346,39 @@ + + /* If exported function, define it now. Don't import functions from + the environment in privileged mode. */ +- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4)) +- { +- string_length = strlen (string); +- temp_string = (char *)xmalloc (3 + string_length + char_index); ++ if (privmode == 0 && read_but_dont_execute == 0 ++ && STREQN (FUNCDEF_PREFIX, name, FUNCDEF_PREFIX_LEN) ++ && STREQ (name + char_index - FUNCDEF_SUFFIX_LEN, FUNCDEF_SUFFIX) ++ && STREQN ("() {", string, 4)) ++ { ++ size_t name_length ++ = char_index - (FUNCDEF_PREFIX_LEN + FUNCDEF_SUFFIX_LEN); ++ char *temp_name = name + FUNCDEF_PREFIX_LEN; ++ /* Temporarily remove the suffix. */ ++ temp_name[name_length] = '\0'; + +- strcpy (temp_string, name); +- temp_string[char_index] = ' '; +- strcpy (temp_string + char_index + 1, string); ++ string_length = strlen (string); ++ temp_string = (char *)xmalloc (name_length + 1 + string_length + 1); ++ memcpy (temp_string, temp_name, name_length); ++ temp_string[name_length] = ' '; ++ memcpy (temp_string + name_length + 1, string, string_length + 1); + + /* Don't import function names that are invalid identifiers from the + environment. */ +- if (legal_identifier (name)) +- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); ++ if (legal_identifier (temp_name)) ++ parse_and_execute (temp_string, temp_name, ++ SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + +- if (temp_var = find_function (name)) ++ if (temp_var = find_function (temp_name)) + { + VSETATTR (temp_var, (att_exported|att_imported)); + array_needs_making = 1; + } + else + report_error (_("error importing function definition for `%s'"), name); ++ ++ /* Restore the original suffix. */ ++ temp_name[name_length] = FUNCDEF_SUFFIX[0]; + } + #if defined (ARRAY_VARS) + # if 0 +@@ -2537,7 +2557,7 @@ + var->context = variable_context; /* XXX */ + + INVALIDATE_EXPORTSTR (var); +- var->exportstr = mk_env_string (name, value); ++ var->exportstr = mk_env_string (name, value, 0); + + array_needs_making = 1; + +@@ -3388,22 +3408,43 @@ + /* */ + /* **************************************************************** */ + ++/* Returns the string NAME=VALUE if !FUNCTIONP or if VALUE == NULL (in ++ which case it is treated as empty). Otherwise, decorate NAME with ++ FUNCDEF_PREFIX and FUNCDEF_SUFFIX, and return a string of the form ++ FUNCDEF_PREFIX NAME FUNCDEF_SUFFIX = VALUE (without spaces). */ + static inline char * +-mk_env_string (name, value) ++mk_env_string (name, value, functionp) + const char *name, *value; ++ int functionp; + { +- int name_len, value_len; +- char *p; ++ size_t name_len, value_len; ++ char *p, *q; + + name_len = strlen (name); + value_len = STRLEN (value); +- p = (char *)xmalloc (2 + name_len + value_len); +- strcpy (p, name); +- p[name_len] = '='; ++ if (functionp && value != NULL) ++ { ++ p = (char *)xmalloc (FUNCDEF_PREFIX_LEN + name_len + FUNCDEF_SUFFIX_LEN ++ + 1 + value_len + 1); ++ q = p; ++ memcpy (q, FUNCDEF_PREFIX, FUNCDEF_PREFIX_LEN); ++ q += FUNCDEF_PREFIX_LEN; ++ memcpy (q, name, name_len); ++ q += name_len; ++ memcpy (q, FUNCDEF_SUFFIX, FUNCDEF_SUFFIX_LEN); ++ q += FUNCDEF_SUFFIX_LEN; ++ } ++ else ++ { ++ p = (char *)xmalloc (name_len + 1 + value_len + 1); ++ memcpy (p, name, name_len); ++ q = p + name_len; ++ } ++ q[0] = '='; + if (value && *value) +- strcpy (p + name_len + 1, value); ++ memcpy (q + 1, value, value_len + 1); + else +- p[name_len + 1] = '\0'; ++ q[1] = '\0'; + return (p); + } + +@@ -3489,7 +3530,7 @@ + /* Gee, I'd like to get away with not using savestring() if we're + using the cached exportstr... */ + list[list_index] = USE_EXPORTSTR ? savestring (value) +- : mk_env_string (var->name, value); ++ : mk_env_string (var->name, value, function_p (var)); + + if (USE_EXPORTSTR == 0) + SAVE_EXPORTSTR (var, list[list_index]); + diff --git a/bash-4.2-CVE-2014-6271.patch b/bash-4.2-CVE-2014-6271.patch index 4522da9a..54e2b890 100644 --- a/bash-4.2-CVE-2014-6271.patch +++ b/bash-4.2-CVE-2014-6271.patch @@ -1,67 +1,72 @@ -diff -ur a/bash/builtins/common.h b/bash/builtins/common.h ---- a/bash/builtins/common.h 2010-05-31 00:31:51.000000000 +0200 -+++ b/bash/builtins/common.h 2014-09-16 21:36:20.139826595 +0200 -@@ -33,6 +33,8 @@ - #define SEVAL_RESETLINE 0x010 - #define SEVAL_PARSEONLY 0x020 - #define SEVAL_NOLONGJMP 0x040 -+#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ -+#define SEVAL_ONECMD 0x100 /* only allow a single command */ - - /* Flags for describe_command, shared between type.def and command.def */ - #define CDESC_ALL 0x001 /* type -a */ -diff -ur a/bash/builtins/evalstring.c b/bash/builtins/evalstring.c ---- a/bash/builtins/evalstring.c 2010-11-23 14:22:15.000000000 +0100 -+++ b/bash/builtins/evalstring.c 2014-09-16 21:36:20.139826595 +0200 -@@ -261,6 +261,14 @@ - { - struct fd_bitmap *bitmap; - -+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) -+ { -+ internal_warning ("%s: ignoring function definition attempt", from_file); -+ should_jump_to_top_level = 0; -+ last_result = last_command_exit_value = EX_BADUSAGE; -+ break; -+ } -+ - bitmap = new_fd_bitmap (FD_BITMAP_SIZE); - begin_unwind_frame ("pe_dispose"); - add_unwind_protect (dispose_fd_bitmap, bitmap); -@@ -321,6 +329,9 @@ - dispose_command (command); - dispose_fd_bitmap (bitmap); - discard_unwind_frame ("pe_dispose"); -+ -+ if (flags & SEVAL_ONECMD) -+ break; - } - } - else -diff -ur a/bash/variables.c b/bash/variables.c ---- a/bash/variables.c 2014-09-16 21:35:34.878850652 +0200 -+++ b/bash/variables.c 2014-09-16 21:37:16.221034763 +0200 -@@ -347,7 +347,11 @@ - temp_string[char_index] = ' '; - strcpy (temp_string + char_index + 1, string); - -- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); -+ /* Don't import function names that are invalid identifiers from the -+ environment, though we still allow them to be defined as shell -+ variables. */ -+ if (legal_identifier (name)) -+ parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); - - /* Ancient backwards compatibility. Old versions of bash exported - functions like name()=() {...} */ -@@ -361,10 +365,6 @@ - } - else - report_error (_("error importing function definition for `%s'"), name); -- -- /* ( */ -- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') -- name[char_index - 2] = '('; /* ) */ - } - #if defined (ARRAY_VARS) - # if 0 +*** ../bash-4.2.47/builtins/common.h 2010-05-30 18:31:51.000000000 -0400 +--- builtins/common.h 2014-09-16 19:35:45.000000000 -0400 +*************** +*** 36,39 **** +--- 36,41 ---- + + /* Flags for describe_command, shared between type.def and command.def */ ++ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ ++ #define SEVAL_ONECMD 0x100 /* only allow a single command */ + #define CDESC_ALL 0x001 /* type -a */ + #define CDESC_SHORTDESC 0x002 /* command -V */ +*** ../bash-4.2.47/builtins/evalstring.c 2010-11-23 08:22:15.000000000 -0500 +--- builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400 +*************** +*** 262,265 **** +--- 262,273 ---- + struct fd_bitmap *bitmap; + ++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) ++ { ++ internal_warning ("%s: ignoring function definition attempt", from_file); ++ should_jump_to_top_level = 0; ++ last_result = last_command_exit_value = EX_BADUSAGE; ++ break; ++ } ++ + bitmap = new_fd_bitmap (FD_BITMAP_SIZE); + begin_unwind_frame ("pe_dispose"); +*************** +*** 322,325 **** +--- 330,336 ---- + dispose_fd_bitmap (bitmap); + discard_unwind_frame ("pe_dispose"); ++ ++ if (flags & SEVAL_ONECMD) ++ break; + } + } +*** ../bash-4.2.47/variables.c 2011-03-01 16:15:20.000000000 -0500 +--- variables.c 2014-09-16 19:35:45.000000000 -0400 +*************** +*** 348,357 **** + strcpy (temp_string + char_index + 1, string); + +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); +! +! /* Ancient backwards compatibility. Old versions of bash exported +! functions like name()=() {...} */ +! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') +! name[char_index - 2] = '\0'; + + if (temp_var = find_function (name)) +--- 348,355 ---- + strcpy (temp_string + char_index + 1, string); + +! /* Don't import function names that are invalid identifiers from the +! environment. */ +! if (legal_identifier (name)) +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + + if (temp_var = find_function (name)) +*************** +*** 362,369 **** + else + report_error (_("error importing function definition for `%s'"), name); +- +- /* ( */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') +- name[char_index - 2] = '('; /* ) */ + } + #if defined (ARRAY_VARS) +--- 360,363 ---- diff --git a/bash-4.2-CVE-2014-7169.patch b/bash-4.2-CVE-2014-7169.patch new file mode 100644 index 00000000..964b91f5 --- /dev/null +++ b/bash-4.2-CVE-2014-7169.patch @@ -0,0 +1,11 @@ +*** ../bash-20140912/parse.y 2014-08-26 15:09:42.000000000 -0400 +--- parse.y 2014-09-24 22:47:28.000000000 -0400 +*************** +*** 2959,2962 **** +--- 2959,2964 ---- + word_desc_to_read = (WORD_DESC *)NULL; + ++ eol_ungetc_lookahead = 0; ++ + current_token = '\n'; /* XXX */ + last_read_token = '\n'; diff --git a/bash-4.2-CVE-2014-7187.patch b/bash-4.2-CVE-2014-7187.patch new file mode 100644 index 00000000..ca413d22 --- /dev/null +++ b/bash-4.2-CVE-2014-7187.patch @@ -0,0 +1,85 @@ +--- ../bash-4.2-orig/parse.y 2014-09-25 13:07:59.218209276 +0200 ++++ parse.y 2014-09-25 15:26:52.813159810 +0200 +@@ -264,9 +264,21 @@ + + /* Variables to manage the task of reading here documents, because we need to + defer the reading until after a complete command has been collected. */ +-static REDIRECT *redir_stack[10]; ++static REDIRECT **redir_stack; + int need_here_doc; + ++/* Pushes REDIR onto redir_stack, resizing it as needed. */ ++static void ++push_redir_stack (REDIRECT *redir) ++{ ++ /* Guard against oveflow. */ ++ if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack)) ++ abort (); ++ redir_stack = xrealloc (redir_stack, ++ (need_here_doc + 1) * sizeof (*redir_stack)); ++ redir_stack[need_here_doc++] = redir; ++} ++ + /* Where shell input comes from. History expansion is performed on each + line when the shell is interactive. */ + static char *shell_input_line = (char *)NULL; +@@ -519,42 +531,42 @@ + source.dest = 0; + redir.filename = $2; + $$ = make_redirection (source, r_reading_until, redir, 0); +- redir_stack[need_here_doc++] = $$; ++ push_redir_stack ($$); + } + | NUMBER LESS_LESS WORD + { + source.dest = $1; + redir.filename = $3; + $$ = make_redirection (source, r_reading_until, redir, 0); +- redir_stack[need_here_doc++] = $$; ++ push_redir_stack ($$); + } + | REDIR_WORD LESS_LESS WORD + { + source.filename = $1; + redir.filename = $3; + $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); +- redir_stack[need_here_doc++] = $$; ++ push_redir_stack ($$); + } + | LESS_LESS_MINUS WORD + { + source.dest = 0; + redir.filename = $2; + $$ = make_redirection (source, r_deblank_reading_until, redir, 0); +- redir_stack[need_here_doc++] = $$; ++ push_redir_stack ($$); + } + | NUMBER LESS_LESS_MINUS WORD + { + source.dest = $1; + redir.filename = $3; + $$ = make_redirection (source, r_deblank_reading_until, redir, 0); +- redir_stack[need_here_doc++] = $$; ++ push_redir_stack ($$); + } + | REDIR_WORD LESS_LESS_MINUS WORD + { + source.filename = $1; + redir.filename = $3; + $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); +- redir_stack[need_here_doc++] = $$; ++ push_redir_stack ($$); + } + | LESS_LESS_LESS WORD + { +@@ -4757,7 +4769,7 @@ + case CASE: + case SELECT: + case FOR: +- if (word_top < MAX_CASE_NEST) ++ if (word_top + 1 < MAX_CASE_NEST) + word_top++; + word_lineno[word_top] = line_number; + break; + + diff --git a/bash.changes b/bash.changes index 9bcb2dce..5bdd8969 100644 --- a/bash.changes +++ b/bash.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Fri Sep 26 11:07:24 UTC 2014 - werner@suse.de + +- Add patches + bash-4.2-BSC898604.patch for bsc#898604: functions via environment + hardening + bash-4.2-CVE-2014-7169.patch for bsc#898346, CVE-2014-7169: + incremental parsing fix for function environment issue + bash-4.2-CVE-2014-7187.patch for bsc#898603, CVE-2014-7186, + CVE-2014-7187: bad handling of HERE documents and for loop issue + ------------------------------------------------------------------- Thu Sep 18 12:10:17 UTC 2014 - werner@suse.de diff --git a/bash.spec b/bash.spec index 0ab9139e..96634c30 100644 --- a/bash.spec +++ b/bash.spec @@ -101,6 +101,9 @@ Patch46: man2html-no-timestamp.patch Patch47: config-guess-sub-update.patch # PATCH-FIX-UPSTREAM bnc#895475 -- bnc#896776, CVE-2014-6271: unexpected code execution with environment variables Patch48: bash-4.2-CVE-2014-6271.patch +Patch49: bash-4.2-BSC898604.patch +Patch50: bash-4.2-CVE-2014-7169.patch +Patch51: bash-4.2-CVE-2014-7187.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %global _sysconfdir /etc %global _incdir %{_includedir} @@ -323,6 +326,9 @@ done %patch46 -p0 -b .notimestamp %patch47 %patch48 -p2 +%patch49 -p0 +%patch50 -p0 +%patch51 -p0 %patch0 -p0 -b .0 pushd ../readline-%{rl_vers}%{extend} for patch in ../readline-%{rl_vers}-patches/*; do