alexlau/bash-custom-action
1
0
Fork 0
Code Pull Requests Actions Activity

.

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/Base:System/bash?expand=0&rev=175
This commit is contained in:
Dr. Werner Fink 2014-09-26 12:41:56 +00:00 committed by Git OBS Bridge
parent 9d9952ff2b
commit 8e99efa814
6 changed files with 332 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

147
bash-4.2-BSC898604.patch Normal file
View File

@ -0,0 +1,147 @@
--- ../bash-4.2-orig/variables.c 2014-09-25 13:07:59.313209541 +0200
+++ variables.c 2014-09-25 13:15:29.869420719 +0200
@@ -268,7 +268,7 @@
static void propagate_temp_var __P((PTR_T));
static void dispose_temporary_env __P((sh_free_func_t *));
-static inline char *mk_env_string __P((const char *, const char *));
+static inline char *mk_env_string __P((const char *, const char *, int));
static char **make_env_array_from_var_list __P((SHELL_VAR **));
static char **make_var_export_array __P((VAR_CONTEXT *));
static char **make_func_export_array __P((void));
@@ -301,6 +301,14 @@
#endif
}
+/* Prefix and suffix for environment variable names which contain
+ shell functions. */
+#define FUNCDEF_PREFIX "BASH_FUNC_"
+#define FUNCDEF_PREFIX_LEN (strlen (FUNCDEF_PREFIX))
+#define FUNCDEF_SUFFIX "()"
+#define FUNCDEF_SUFFIX_LEN (strlen (FUNCDEF_SUFFIX))
+
+
/* Initialize the shell variables from the current environment.
If PRIVMODE is nonzero, don't import functions from ENV or
parse $SHELLOPTS. */
@@ -338,27 +346,39 @@
/* If exported function, define it now. Don't import functions from
the environment in privileged mode. */
- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
- {
- string_length = strlen (string);
- temp_string = (char *)xmalloc (3 + string_length + char_index);
+ if (privmode == 0 && read_but_dont_execute == 0
+ && STREQN (FUNCDEF_PREFIX, name, FUNCDEF_PREFIX_LEN)
+ && STREQ (name + char_index - FUNCDEF_SUFFIX_LEN, FUNCDEF_SUFFIX)
+ && STREQN ("() {", string, 4))
+ {
+ size_t name_length
+ = char_index - (FUNCDEF_PREFIX_LEN + FUNCDEF_SUFFIX_LEN);
+ char *temp_name = name + FUNCDEF_PREFIX_LEN;
+ /* Temporarily remove the suffix. */
+ temp_name[name_length] = '\0';
- strcpy (temp_string, name);
- temp_string[char_index] = ' ';
- strcpy (temp_string + char_index + 1, string);
+ string_length = strlen (string);
+ temp_string = (char *)xmalloc (name_length + 1 + string_length + 1);
+ memcpy (temp_string, temp_name, name_length);
+ temp_string[name_length] = ' ';
+ memcpy (temp_string + name_length + 1, string, string_length + 1);
/* Don't import function names that are invalid identifiers from the
environment. */
- if (legal_identifier (name))
- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+ if (legal_identifier (temp_name))
+ parse_and_execute (temp_string, temp_name,
+ SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
- if (temp_var = find_function (name))
+ if (temp_var = find_function (temp_name))
{
VSETATTR (temp_var, (att_exported|att_imported));
array_needs_making = 1;
}
else
report_error (_("error importing function definition for `%s'"), name);
+
+ /* Restore the original suffix. */
+ temp_name[name_length] = FUNCDEF_SUFFIX[0];
}
#if defined (ARRAY_VARS)
# if 0
@@ -2537,7 +2557,7 @@
var->context = variable_context; /* XXX */
INVALIDATE_EXPORTSTR (var);
- var->exportstr = mk_env_string (name, value);
+ var->exportstr = mk_env_string (name, value, 0);
array_needs_making = 1;
@@ -3388,22 +3408,43 @@
/* */
/* **************************************************************** */
+/* Returns the string NAME=VALUE if !FUNCTIONP or if VALUE == NULL (in
+ which case it is treated as empty). Otherwise, decorate NAME with
+ FUNCDEF_PREFIX and FUNCDEF_SUFFIX, and return a string of the form
+ FUNCDEF_PREFIX NAME FUNCDEF_SUFFIX = VALUE (without spaces). */
static inline char *
-mk_env_string (name, value)
+mk_env_string (name, value, functionp)
const char *name, *value;
+ int functionp;
{
- int name_len, value_len;
- char *p;
+ size_t name_len, value_len;
+ char *p, *q;
name_len = strlen (name);
value_len = STRLEN (value);
- p = (char *)xmalloc (2 + name_len + value_len);
- strcpy (p, name);
- p[name_len] = '=';
+ if (functionp && value != NULL)
+ {
+ p = (char *)xmalloc (FUNCDEF_PREFIX_LEN + name_len + FUNCDEF_SUFFIX_LEN
+ + 1 + value_len + 1);
+ q = p;
+ memcpy (q, FUNCDEF_PREFIX, FUNCDEF_PREFIX_LEN);
+ q += FUNCDEF_PREFIX_LEN;
+ memcpy (q, name, name_len);
+ q += name_len;
+ memcpy (q, FUNCDEF_SUFFIX, FUNCDEF_SUFFIX_LEN);
+ q += FUNCDEF_SUFFIX_LEN;
+ }
+ else
+ {
+ p = (char *)xmalloc (name_len + 1 + value_len + 1);
+ memcpy (p, name, name_len);
+ q = p + name_len;
+ }
+ q[0] = '=';
if (value && *value)
- strcpy (p + name_len + 1, value);
+ memcpy (q + 1, value, value_len + 1);
else
- p[name_len + 1] = '\0';
+ q[1] = '\0';
return (p);
}
@@ -3489,7 +3530,7 @@
/* Gee, I'd like to get away with not using savestring() if we're
using the cached exportstr... */
list[list_index] = USE_EXPORTSTR ? savestring (value)
- : mk_env_string (var->name, value);
+ : mk_env_string (var->name, value, function_p (var));
if (USE_EXPORTSTR == 0)
SAVE_EXPORTSTR (var, list[list_index]);

73
bash-4.2-CVE-2014-6271.patch
View File

@ -1,20 +1,19 @@
diff -ur a/bash/builtins/common.h b/bash/builtins/common.h *** ../bash-4.2.47/builtins/common.h 2010-05-30 18:31:51.000000000 -0400
--- a/bash/builtins/common.h 2010-05-31 00:31:51.000000000 +0200 --- builtins/common.h 2014-09-16 19:35:45.000000000 -0400
+++ b/bash/builtins/common.h 2014-09-16 21:36:20.139826595 +0200 ***************
@@ -33,6 +33,8 @@ *** 36,39 ****
#define SEVAL_RESETLINE 0x010 --- 36,41 ----
#define SEVAL_PARSEONLY 0x020
#define SEVAL_NOLONGJMP 0x040
+#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
+#define SEVAL_ONECMD 0x100 /* only allow a single command */
/* Flags for describe_command, shared between type.def and command.def */ /* Flags for describe_command, shared between type.def and command.def */
+ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
+ #define SEVAL_ONECMD 0x100 /* only allow a single command */
#define CDESC_ALL 0x001 /* type -a */ #define CDESC_ALL 0x001 /* type -a */
diff -ur a/bash/builtins/evalstring.c b/bash/builtins/evalstring.c #define CDESC_SHORTDESC 0x002 /* command -V */
--- a/bash/builtins/evalstring.c 2010-11-23 14:22:15.000000000 +0100 *** ../bash-4.2.47/builtins/evalstring.c 2010-11-23 08:22:15.000000000 -0500
+++ b/bash/builtins/evalstring.c 2014-09-16 21:36:20.139826595 +0200 --- builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400
@@ -261,6 +261,14 @@ ***************
{ *** 262,265 ****
--- 262,273 ----
struct fd_bitmap *bitmap; struct fd_bitmap *bitmap;
+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) + if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
@ -27,9 +26,9 @@ diff -ur a/bash/builtins/evalstring.c b/bash/builtins/evalstring.c
+ +
bitmap = new_fd_bitmap (FD_BITMAP_SIZE); bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
begin_unwind_frame ("pe_dispose"); begin_unwind_frame ("pe_dispose");
add_unwind_protect (dispose_fd_bitmap, bitmap); ***************
@@ -321,6 +329,9 @@ *** 322,325 ****
dispose_command (command); --- 330,336 ----
dispose_fd_bitmap (bitmap); dispose_fd_bitmap (bitmap);
discard_unwind_frame ("pe_dispose"); discard_unwind_frame ("pe_dispose");
+ +
@ -37,25 +36,31 @@ diff -ur a/bash/builtins/evalstring.c b/bash/builtins/evalstring.c
+ break; + break;
} }
} }
else *** ../bash-4.2.47/variables.c 2011-03-01 16:15:20.000000000 -0500
diff -ur a/bash/variables.c b/bash/variables.c --- variables.c 2014-09-16 19:35:45.000000000 -0400
--- a/bash/variables.c 2014-09-16 21:35:34.878850652 +0200 ***************
+++ b/bash/variables.c 2014-09-16 21:37:16.221034763 +0200 *** 348,357 ****
@@ -347,7 +347,11 @@
temp_string[char_index] = ' ';
strcpy (temp_string + char_index + 1, string); strcpy (temp_string + char_index + 1, string);
- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); ! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+ /* Don't import function names that are invalid identifiers from the !
+ environment, though we still allow them to be defined as shell ! /* Ancient backwards compatibility. Old versions of bash exported
+ variables. */ ! functions like name()=() {...} */
+ if (legal_identifier (name)) ! if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+ parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); ! name[char_index - 2] = '\0';
/* Ancient backwards compatibility. Old versions of bash exported if (temp_var = find_function (name))
functions like name()=() {...} */ --- 348,355 ----
@@ -361,10 +365,6 @@ strcpy (temp_string + char_index + 1, string);
}
! /* Don't import function names that are invalid identifiers from the
! environment. */
! if (legal_identifier (name))
! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
if (temp_var = find_function (name))
***************
*** 362,369 ****
else else
report_error (_("error importing function definition for `%s'"), name); report_error (_("error importing function definition for `%s'"), name);
- -
@ -64,4 +69,4 @@ diff -ur a/bash/variables.c b/bash/variables.c
- name[char_index - 2] = '('; /* ) */ - name[char_index - 2] = '('; /* ) */
} }
#if defined (ARRAY_VARS) #if defined (ARRAY_VARS)
# if 0 --- 360,363 ----

11
bash-4.2-CVE-2014-7169.patch Normal file
View File

@ -0,0 +1,11 @@
*** ../bash-20140912/parse.y 2014-08-26 15:09:42.000000000 -0400
--- parse.y 2014-09-24 22:47:28.000000000 -0400
***************
*** 2959,2962 ****
--- 2959,2964 ----
word_desc_to_read = (WORD_DESC *)NULL;
+ eol_ungetc_lookahead = 0;
+
current_token = '\n'; /* XXX */
last_read_token = '\n';

85
bash-4.2-CVE-2014-7187.patch Normal file
View File

@ -0,0 +1,85 @@
--- ../bash-4.2-orig/parse.y 2014-09-25 13:07:59.218209276 +0200
+++ parse.y 2014-09-25 15:26:52.813159810 +0200
@@ -264,9 +264,21 @@
/* Variables to manage the task of reading here documents, because we need to
defer the reading until after a complete command has been collected. */
-static REDIRECT *redir_stack[10];
+static REDIRECT **redir_stack;
int need_here_doc;
+/* Pushes REDIR onto redir_stack, resizing it as needed. */
+static void
+push_redir_stack (REDIRECT *redir)
+{
+ /* Guard against oveflow. */
+ if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack))
+ abort ();
+ redir_stack = xrealloc (redir_stack,
+ (need_here_doc + 1) * sizeof (*redir_stack));
+ redir_stack[need_here_doc++] = redir;
+}
+
/* Where shell input comes from. History expansion is performed on each
line when the shell is interactive. */
static char *shell_input_line = (char *)NULL;
@@ -519,42 +531,42 @@
source.dest = 0;
redir.filename = $2;
$$ = make_redirection (source, r_reading_until, redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| NUMBER LESS_LESS WORD
{
source.dest = $1;
redir.filename = $3;
$$ = make_redirection (source, r_reading_until, redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| REDIR_WORD LESS_LESS WORD
{
source.filename = $1;
redir.filename = $3;
$$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| LESS_LESS_MINUS WORD
{
source.dest = 0;
redir.filename = $2;
$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| NUMBER LESS_LESS_MINUS WORD
{
source.dest = $1;
redir.filename = $3;
$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| REDIR_WORD LESS_LESS_MINUS WORD
{
source.filename = $1;
redir.filename = $3;
$$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| LESS_LESS_LESS WORD
{
@@ -4757,7 +4769,7 @@
case CASE:
case SELECT:
case FOR:
- if (word_top < MAX_CASE_NEST)
+ if (word_top + 1 < MAX_CASE_NEST)
word_top++;
word_lineno[word_top] = line_number;
break;

11
bash.changes
View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Fri Sep 26 11:07:24 UTC 2014 - werner@suse.de
- Add patches
bash-4.2-BSC898604.patch for bsc#898604: functions via environment
hardening
bash-4.2-CVE-2014-7169.patch for bsc#898346, CVE-2014-7169:
incremental parsing fix for function environment issue
bash-4.2-CVE-2014-7187.patch for bsc#898603, CVE-2014-7186,
CVE-2014-7187: bad handling of HERE documents and for loop issue
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Sep 18 12:10:17 UTC 2014 - werner@suse.de Thu Sep 18 12:10:17 UTC 2014 - werner@suse.de

6
bash.spec
View File

@ -101,6 +101,9 @@ Patch46: man2html-no-timestamp.patch
Patch47: config-guess-sub-update.patch Patch47: config-guess-sub-update.patch
# PATCH-FIX-UPSTREAM bnc#895475 -- bnc#896776, CVE-2014-6271: unexpected code execution with environment variables # PATCH-FIX-UPSTREAM bnc#895475 -- bnc#896776, CVE-2014-6271: unexpected code execution with environment variables
Patch48: bash-4.2-CVE-2014-6271.patch Patch48: bash-4.2-CVE-2014-6271.patch
Patch49: bash-4.2-BSC898604.patch
Patch50: bash-4.2-CVE-2014-7169.patch
Patch51: bash-4.2-CVE-2014-7187.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%global _sysconfdir /etc %global _sysconfdir /etc
%global _incdir %{_includedir} %global _incdir %{_includedir}
@ -323,6 +326,9 @@ done
%patch46 -p0 -b .notimestamp %patch46 -p0 -b .notimestamp
%patch47 %patch47
%patch48 -p2 %patch48 -p2
%patch49 -p0
%patch50 -p0
%patch51 -p0
%patch0 -p0 -b .0 %patch0 -p0 -b .0
pushd ../readline-%{rl_vers}%{extend} pushd ../readline-%{rl_vers}%{extend}
for patch in ../readline-%{rl_vers}-patches/*; do for patch in ../readline-%{rl_vers}-patches/*; do