.

OBS-URL: https://build.opensuse.org/package/show/Base:System/bash?expand=0&rev=171

bash-4.2-CVE-2014-6271.patch

@@ -0,0 +1,74 @@
+---
+ builtins/common.h     |    2 ++
+ builtins/evalstring.c |   11 +++++++++++
+ variables.c           |   14 ++++----------
+ 3 files changed, 17 insertions(+), 10 deletions(-)
+
+--- builtins/common.h
++++ builtins/common.h	2014-09-16 23:35:45.000000000 +0000
+@@ -35,6 +35,8 @@
+ #define SEVAL_NOLONGJMP 0x040
+ 
+ /* Flags for describe_command, shared between type.def and command.def */
++#define SEVAL_FUNCDEF	0x080		/* only allow function definitions */
++#define SEVAL_ONECMD	0x100		/* only allow a single command */
+ #define CDESC_ALL		0x001	/* type -a */
+ #define CDESC_SHORTDESC		0x002	/* command -V */
+ #define CDESC_REUSABLE		0x004	/* command -v */
+--- builtins/evalstring.c
++++ builtins/evalstring.c	2014-09-16 23:35:45.000000000 +0000
+@@ -261,6 +261,14 @@ parse_and_execute (string, from_file, fl
+ 	    {
+ 	      struct fd_bitmap *bitmap;
+ 
++	      if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
++		{
++		  internal_warning ("%s: ignoring function definition attempt", from_file);
++		  should_jump_to_top_level = 0;
++		  last_result = last_command_exit_value = EX_BADUSAGE;
++		  break;
++		}
++
+ 	      bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+ 	      begin_unwind_frame ("pe_dispose");
+ 	      add_unwind_protect (dispose_fd_bitmap, bitmap);
+@@ -321,6 +329,9 @@ parse_and_execute (string, from_file, fl
+ 	      dispose_command (command);
+ 	      dispose_fd_bitmap (bitmap);
+ 	      discard_unwind_frame ("pe_dispose");
++
++	      if (flags & SEVAL_ONECMD)
++		break;
+ 	    }
+ 	}
+       else
+--- variables.c
++++ variables.c	2014-09-16 23:35:45.000000000 +0000
+@@ -347,12 +347,10 @@ initialize_shell_variables (env, privmod
+ 	  temp_string[char_index] = ' ';
+ 	  strcpy (temp_string + char_index + 1, string);
+ 
+-	  parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+-
+-	  /* Ancient backwards compatibility.  Old versions of bash exported
+-	     functions like name()=() {...} */
+-	  if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+-	    name[char_index - 2] = '\0';
++	  /* Don't import function names that are invalid identifiers from the
++	     environment. */
++	  if (legal_identifier (name))
++	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+ 
+ 	  if (temp_var = find_function (name))
+ 	    {
+@@ -361,10 +359,6 @@ initialize_shell_variables (env, privmod
+ 	    }
+ 	  else
+ 	    report_error (_("error importing function definition for `%s'"), name);
+-
+-	  /* ( */
+-	  if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+-	    name[char_index - 2] = '(';		/* ) */
+ 	}
+ #if defined (ARRAY_VARS)
+ #  if 0

bash.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Sep 18 12:10:17 UTC 2014 - werner@suse.de
+
+- Add bash-4.2-CVE-2014-6271.patch
+  to fix CVE-2014-6271, the unexpected code execution with
+  environment variables (bnc#896776)
+
 -------------------------------------------------------------------
 Mon Sep 15 08:52:13 UTC 2014 - werner@suse.de
 

bash.spec

@@ -99,6 +99,8 @@ Patch42:        audit-patch
 Patch43:        audit-rl-patch
 Patch46:        man2html-no-timestamp.patch
 Patch47:        config-guess-sub-update.patch
+# PATCH-FIX-UPSTREAM bnc#895475 -- bnc#896776, CVE-2014-6271: unexpected code execution with environment variables
+Patch48:        bash-4.2-CVE-2014-6271.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %global         _sysconfdir /etc
 %global         _incdir     %{_includedir}
@@ -320,6 +322,7 @@ done
 %endif
 %patch46 -p0 -b .notimestamp
 %patch47
+#%patch48 -p2
 %patch0  -p0 -b .0
 pushd ../readline-%{rl_vers}%{extend}
 for patch in ../readline-%{rl_vers}-patches/*; do