.

OBS-URL: https://build.opensuse.org/package/show/Base:System/bash?expand=0&rev=175
2014-09-26 12:41:56 +00:00 · 2014-09-26 12:41:56 +00:00 · 8e99efa814
commit 8e99efa814
parent 9d9952ff2b
6 changed files with 332 additions and 67 deletions
--- a/bash-4.2-BSC898604.patch
+++ b/bash-4.2-BSC898604.patch
@ -0,0 +1,147 @@
+--- ../bash-4.2-orig/variables.c	2014-09-25 13:07:59.313209541 +0200
+++ variables.c	2014-09-25 13:15:29.869420719 +0200
+@@ -268,7 +268,7 @@
+ static void propagate_temp_var __P((PTR_T));
+ static void dispose_temporary_env __P((sh_free_func_t *));     
+ 
+-static inline char *mk_env_string __P((const char *, const char *));
+static inline char *mk_env_string __P((const char *, const char *, int));
+ static char **make_env_array_from_var_list __P((SHELL_VAR **));
+ static char **make_var_export_array __P((VAR_CONTEXT *));
+ static char **make_func_export_array __P((void));
+@@ -301,6 +301,14 @@
+ #endif
+ }
+ 
+/* Prefix and suffix for environment variable names which contain
+   shell functions. */
+#define FUNCDEF_PREFIX "BASH_FUNC_"
+#define FUNCDEF_PREFIX_LEN (strlen (FUNCDEF_PREFIX))
+#define FUNCDEF_SUFFIX "()"
+#define FUNCDEF_SUFFIX_LEN (strlen (FUNCDEF_SUFFIX))
+
+
+ /* Initialize the shell variables from the current environment.
+    If PRIVMODE is nonzero, don't import functions from ENV or
+    parse $SHELLOPTS. */
+@@ -338,27 +346,39 @@
+ 
+       /* If exported function, define it now.  Don't import functions from
+ 	 the environment in privileged mode. */
+-      if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
+-	{
+-	  string_length = strlen (string);
+-	  temp_string = (char *)xmalloc (3 + string_length + char_index);
+      if (privmode == 0 && read_but_dont_execute == 0
+	  && STREQN (FUNCDEF_PREFIX, name, FUNCDEF_PREFIX_LEN)
+	  && STREQ (name + char_index - FUNCDEF_SUFFIX_LEN, FUNCDEF_SUFFIX)
+	  && STREQN ("() {", string, 4))
+	{
+	  size_t name_length
+	    = char_index - (FUNCDEF_PREFIX_LEN + FUNCDEF_SUFFIX_LEN);
+	  char *temp_name = name + FUNCDEF_PREFIX_LEN;
+	  /* Temporarily remove the suffix. */
+	  temp_name[name_length] = '\0';
+ 
+-	  strcpy (temp_string, name);
+-	  temp_string[char_index] = ' ';
+-	  strcpy (temp_string + char_index + 1, string);
+	  string_length = strlen (string);
+	  temp_string = (char *)xmalloc (name_length + 1 + string_length + 1);
+	  memcpy (temp_string, temp_name, name_length);
+	  temp_string[name_length] = ' ';
+	  memcpy (temp_string + name_length + 1, string, string_length + 1);
+ 
+ 	  /* Don't import function names that are invalid identifiers from the
+ 	     environment. */
+-	  if (legal_identifier (name))
+-	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+	  if (legal_identifier (temp_name))
+	    parse_and_execute (temp_string, temp_name,
+			       SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+ 
+-	  if (temp_var = find_function (name))
+	  if (temp_var = find_function (temp_name))
+ 	    {
+ 	      VSETATTR (temp_var, (att_exported|att_imported));
+ 	      array_needs_making = 1;
+ 	    }
+ 	  else
+ 	    report_error (_("error importing function definition for `%s'"), name);
+
+	  /* Restore the original suffix. */
+	  temp_name[name_length] = FUNCDEF_SUFFIX[0];
+ 	}
+ #if defined (ARRAY_VARS)
+ #  if 0
+@@ -2537,7 +2557,7 @@
+   var->context = variable_context;	/* XXX */
+ 
+   INVALIDATE_EXPORTSTR (var);
+-  var->exportstr = mk_env_string (name, value);
+  var->exportstr = mk_env_string (name, value, 0);
+ 
+   array_needs_making = 1;
+ 
+@@ -3388,22 +3408,43 @@
+ /*								    */
+ /* **************************************************************** */
+ 
+/* Returns the string NAME=VALUE if !FUNCTIONP or if VALUE == NULL (in
+   which case it is treated as empty).  Otherwise, decorate NAME with
+   FUNCDEF_PREFIX and FUNCDEF_SUFFIX, and return a string of the form
+   FUNCDEF_PREFIX NAME FUNCDEF_SUFFIX = VALUE (without spaces).  */
+ static inline char *
+-mk_env_string (name, value)
+mk_env_string (name, value, functionp)
+      const char *name, *value;
+     int functionp;
+ {
+-  int name_len, value_len;
+-  char	*p;
+  size_t name_len, value_len;
+  char *p, *q;
+ 
+   name_len = strlen (name);
+   value_len = STRLEN (value);
+-  p = (char *)xmalloc (2 + name_len + value_len);
+-  strcpy (p, name);
+-  p[name_len] = '=';
+  if (functionp && value != NULL)
+    {
+      p = (char *)xmalloc (FUNCDEF_PREFIX_LEN + name_len + FUNCDEF_SUFFIX_LEN
+			   + 1 + value_len + 1);
+      q = p;
+      memcpy (q, FUNCDEF_PREFIX, FUNCDEF_PREFIX_LEN);
+      q += FUNCDEF_PREFIX_LEN;
+      memcpy (q, name, name_len);
+      q += name_len;
+      memcpy (q, FUNCDEF_SUFFIX, FUNCDEF_SUFFIX_LEN);
+      q += FUNCDEF_SUFFIX_LEN;
+    }
+  else
+    {
+      p = (char *)xmalloc (name_len + 1 + value_len + 1);
+      memcpy (p, name, name_len);
+      q = p + name_len;
+    }
+  q[0] = '=';
+   if (value && *value)
+-    strcpy (p + name_len + 1, value);
+    memcpy (q + 1, value, value_len + 1);
+   else
+-    p[name_len + 1] = '\0';
+    q[1] = '\0';
+   return (p);
+ }
+ 
+@@ -3489,7 +3530,7 @@
+ 	  /* Gee, I'd like to get away with not using savestring() if we're
+ 	     using the cached exportstr... */
+ 	  list[list_index] = USE_EXPORTSTR ? savestring (value)
+-					   : mk_env_string (var->name, value);
+	    : mk_env_string (var->name, value, function_p (var));
+ 
+ 	  if (USE_EXPORTSTR == 0)
+ 	    SAVE_EXPORTSTR (var, list[list_index]);
+
--- a/bash-4.2-CVE-2014-6271.patch
+++ b/bash-4.2-CVE-2014-6271.patch
@ -1,20 +1,19 @@
-diff -ur a/bash/builtins/common.h b/bash/builtins/common.h
--- a/bash/builtins/common.h	2010-05-31 00:31:51.000000000 +0200
-+++ b/bash/builtins/common.h	2014-09-16 21:36:20.139826595 +0200
-@@ -33,6 +33,8 @@
- #define SEVAL_RESETLINE	0x010
- #define SEVAL_PARSEONLY	0x020
- #define SEVAL_NOLONGJMP 0x040
-+#define SEVAL_FUNCDEF	0x080		/* only allow function definitions */
-+#define SEVAL_ONECMD	0x100		/* only allow a single command */
+*** ../bash-4.2.47/builtins/common.h	2010-05-30 18:31:51.000000000 -0400
+--- builtins/common.h	2014-09-16 19:35:45.000000000 -0400
+***************
+*** 36,39 ****
+--- 36,41 ----
  
  /* Flags for describe_command, shared between type.def and command.def */
+ #define SEVAL_FUNCDEF	0x080		/* only allow function definitions */
+ #define SEVAL_ONECMD	0x100		/* only allow a single command */
  #define CDESC_ALL		0x001	/* type -a */
-diff -ur a/bash/builtins/evalstring.c b/bash/builtins/evalstring.c
--- a/bash/builtins/evalstring.c	2010-11-23 14:22:15.000000000 +0100
-+++ b/bash/builtins/evalstring.c	2014-09-16 21:36:20.139826595 +0200
-@@ -261,6 +261,14 @@
- 	    {
+  #define CDESC_SHORTDESC		0x002	/* command -V */
+*** ../bash-4.2.47/builtins/evalstring.c	2010-11-23 08:22:15.000000000 -0500
+--- builtins/evalstring.c	2014-09-16 19:35:45.000000000 -0400
+***************
+*** 262,265 ****
+--- 262,273 ----
  	      struct fd_bitmap *bitmap;
  
 + 	      if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
@ -27,9 +26,9 @@ diff -ur a/bash/builtins/evalstring.c b/bash/builtins/evalstring.c
 + 
  	      bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
  	      begin_unwind_frame ("pe_dispose");
- 	      add_unwind_protect (dispose_fd_bitmap, bitmap);
-@@ -321,6 +329,9 @@
- 	      dispose_command (command);
+***************
+*** 322,325 ****
+--- 330,336 ----
  	      dispose_fd_bitmap (bitmap);
  	      discard_unwind_frame ("pe_dispose");
 + 
@ -37,25 +36,31 @@ diff -ur a/bash/builtins/evalstring.c b/bash/builtins/evalstring.c
 + 		break;
  	    }
  	}
-       else
-diff -ur a/bash/variables.c b/bash/variables.c
--- a/bash/variables.c	2014-09-16 21:35:34.878850652 +0200
-+++ b/bash/variables.c	2014-09-16 21:37:16.221034763 +0200
-@@ -347,7 +347,11 @@
- 	  temp_string[char_index] = ' ';
+*** ../bash-4.2.47/variables.c	2011-03-01 16:15:20.000000000 -0500
+--- variables.c	2014-09-16 19:35:45.000000000 -0400
+***************
+*** 348,357 ****
  	  strcpy (temp_string + char_index + 1, string);
  
-	  parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
-+ 	  /* Don't import function names that are invalid identifiers from the
-+ 	     environment, though we still allow them to be defined as shell
-+ 	     variables. */
-+ 	  if (legal_identifier (name))
-+ 	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+! 	  parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+! 
+! 	  /* Ancient backwards compatibility.  Old versions of bash exported
+! 	     functions like name()=() {...} */
+! 	  if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+! 	    name[char_index - 2] = '\0';
  
- 	  /* Ancient backwards compatibility.  Old versions of bash exported
- 	     functions like name()=() {...} */
-@@ -361,10 +365,6 @@
- 	    }
+  	  if (temp_var = find_function (name))
+--- 348,355 ----
+  	  strcpy (temp_string + char_index + 1, string);
+  
+! 	  /* Don't import function names that are invalid identifiers from the
+! 	     environment. */
+! 	  if (legal_identifier (name))
+! 	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+  
+  	  if (temp_var = find_function (name))
+***************
+*** 362,369 ****
  	  else
  	    report_error (_("error importing function definition for `%s'"), name);
 - 
@ -64,4 +69,4 @@ diff -ur a/bash/variables.c b/bash/variables.c
 - 	    name[char_index - 2] = '(';		/* ) */
  	}
  #if defined (ARRAY_VARS)
- #  if 0
+--- 360,363 ----
--- a/bash-4.2-CVE-2014-7169.patch
+++ b/bash-4.2-CVE-2014-7169.patch
@ -0,0 +1,11 @@
+*** ../bash-20140912/parse.y	2014-08-26 15:09:42.000000000 -0400
+--- parse.y	2014-09-24 22:47:28.000000000 -0400
+***************
+*** 2959,2962 ****
+--- 2959,2964 ----
+    word_desc_to_read = (WORD_DESC *)NULL;
+  
+   eol_ungetc_lookahead = 0;
+ 
+    current_token = '\n';		/* XXX */
+    last_read_token = '\n';
--- a/bash-4.2-CVE-2014-7187.patch
+++ b/bash-4.2-CVE-2014-7187.patch
@ -0,0 +1,85 @@
+--- ../bash-4.2-orig/parse.y	2014-09-25 13:07:59.218209276 +0200
+++ parse.y	2014-09-25 15:26:52.813159810 +0200
+@@ -264,9 +264,21 @@
+ 
+ /* Variables to manage the task of reading here documents, because we need to
+    defer the reading until after a complete command has been collected. */
+-static REDIRECT *redir_stack[10];
+static REDIRECT **redir_stack;
+ int need_here_doc;
+ 
+/* Pushes REDIR onto redir_stack, resizing it as needed. */
+static void
+push_redir_stack (REDIRECT *redir)
+{
+  /* Guard against oveflow. */
+  if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack))
+    abort ();
+  redir_stack = xrealloc (redir_stack,
+			  (need_here_doc + 1) * sizeof (*redir_stack));
+  redir_stack[need_here_doc++] = redir;
+}
+
+ /* Where shell input comes from.  History expansion is performed on each
+    line when the shell is interactive. */
+ static char *shell_input_line = (char *)NULL;
+@@ -519,42 +531,42 @@
+ 			  source.dest = 0;
+ 			  redir.filename = $2;
+ 			  $$ = make_redirection (source, r_reading_until, redir, 0);
+-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
+ 			}
+ 	|	NUMBER LESS_LESS WORD
+ 			{
+ 			  source.dest = $1;
+ 			  redir.filename = $3;
+ 			  $$ = make_redirection (source, r_reading_until, redir, 0);
+-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
+ 			}
+ 	|	REDIR_WORD LESS_LESS WORD
+ 			{
+ 			  source.filename = $1;
+ 			  redir.filename = $3;
+ 			  $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
+-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
+ 			}
+ 	|	LESS_LESS_MINUS WORD
+ 			{
+ 			  source.dest = 0;
+ 			  redir.filename = $2;
+ 			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
+ 			}
+ 	|	NUMBER LESS_LESS_MINUS WORD
+ 			{
+ 			  source.dest = $1;
+ 			  redir.filename = $3;
+ 			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
+ 			}
+ 	|	REDIR_WORD  LESS_LESS_MINUS WORD
+ 			{
+ 			  source.filename = $1;
+ 			  redir.filename = $3;
+ 			  $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
+-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
+ 			}
+ 	|	LESS_LESS_LESS WORD
+ 			{
+@@ -4757,7 +4769,7 @@
+     case CASE:
+     case SELECT:
+     case FOR:
+-      if (word_top < MAX_CASE_NEST)
+      if (word_top + 1 < MAX_CASE_NEST)
+ 	word_top++;
+       word_lineno[word_top] = line_number;
+       break;
+
+
--- a/bash.changes
+++ b/bash.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Fri Sep 26 11:07:24 UTC 2014 - werner@suse.de
+
+- Add patches
+  bash-4.2-BSC898604.patch for bsc#898604: functions via environment
+  hardening
+  bash-4.2-CVE-2014-7169.patch for bsc#898346, CVE-2014-7169:
+  incremental parsing fix for function environment issue
+  bash-4.2-CVE-2014-7187.patch for bsc#898603, CVE-2014-7186,
+  CVE-2014-7187: bad handling of HERE documents and for loop issue
+
 -------------------------------------------------------------------
 Thu Sep 18 12:10:17 UTC 2014 - werner@suse.de

--- a/bash.spec
+++ b/bash.spec
@ -101,6 +101,9 @@ Patch46:        man2html-no-timestamp.patch
 Patch47:        config-guess-sub-update.patch
 # PATCH-FIX-UPSTREAM bnc#895475 -- bnc#896776, CVE-2014-6271: unexpected code execution with environment variables
 Patch48:        bash-4.2-CVE-2014-6271.patch
+Patch49:        bash-4.2-BSC898604.patch
+Patch50:        bash-4.2-CVE-2014-7169.patch
+Patch51:        bash-4.2-CVE-2014-7187.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %global         _sysconfdir /etc
 %global         _incdir     %{_includedir}
@ -323,6 +326,9 @@ done
 %patch46 -p0 -b .notimestamp
 %patch47
 %patch48 -p2
+%patch49 -p0
+%patch50 -p0
+%patch51 -p0
 %patch0  -p0 -b .0
 pushd ../readline-%{rl_vers}%{extend}
 for patch in ../readline-%{rl_vers}-patches/*; do