From b8e07aad0d76ebab61acb1138720aada6790f3cc654143f3f37d640e89ec13b7 Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Mon, 28 Nov 2016 11:43:24 +0000 Subject: [PATCH] Fix boo#1010845 OBS-URL: https://build.opensuse.org/package/show/Base:System/bash?expand=0&rev=225 --- bash.changes | 7 +++++++ bash.spec | 3 +++ popd-offset-overflow.patch | 27 +++++++++++++++++++++++++++ 3 files changed, 37 insertions(+) create mode 100644 popd-offset-overflow.patch diff --git a/bash.changes b/bash.changes index 39c4dd2..5895cc8 100644 --- a/bash.changes +++ b/bash.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Nov 28 11:41:49 UTC 2016 - werner@suse.de + +- Add upstream patch popd-offset-overflow.patch to fix boo#1010845 + CVE-2016-9401: bash: popd controlled free (Segmentation fault) + Remark: this is a simple Segmentation fault, no security risk + ------------------------------------------------------------------- Thu Nov 17 09:27:21 UTC 2016 - werner@suse.de diff --git a/bash.spec b/bash.spec index e12d4f7..4f9ad68 100644 --- a/bash.spec +++ b/bash.spec @@ -92,6 +92,8 @@ Patch27: readline-6.2-xmalloc.dif Patch30: readline-6.3-destdir.patch Patch31: readline-6.3-rltrace.patch Patch40: bash-4.1-bash.bashrc.dif +# PATCH-FIX-UPSTREAM boo#1010845 -- CVE-2016-9401: bash: popd controlled free (Segmentation fault) +Patch41: popd-offset-overflow.patch Patch46: man2html-no-timestamp.patch Patch47: bash-4.3-perl522.patch # PATCH-FIX-SUSE @@ -300,6 +302,7 @@ done #%patch25 -p0 -b .endpw %patch31 -p0 -b .tmp %patch40 -p0 -b .bashrc +%patch41 -p0 -b .popd %patch46 -p0 -b .notimestamp %patch47 -p0 -b .perl522 %if %{with import_function} diff --git a/popd-offset-overflow.patch b/popd-offset-overflow.patch new file mode 100644 index 0000000..4e2bb81 --- /dev/null +++ b/popd-offset-overflow.patch @@ -0,0 +1,27 @@ +*** ../bash-4.4-patched/builtins/pushd.def 2016-01-25 13:31:49.000000000 -0500 +--- builtins/pushd.def 2016-10-28 10:46:49.000000000 -0400 +*************** +*** 366,370 **** + } + +! if (which > directory_list_offset || (directory_list_offset == 0 && which == 0)) + { + pushd_error (directory_list_offset, which_word ? which_word : ""); +--- 366,370 ---- + } + +! if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0)) + { + pushd_error (directory_list_offset, which_word ? which_word : ""); +*************** +*** 388,391 **** +--- 388,396 ---- + of the list into place. */ + i = (direction == '+') ? directory_list_offset - which : which; ++ if (i < 0 || i > directory_list_offset) ++ { ++ pushd_error (directory_list_offset, which_word ? which_word : ""); ++ return (EXECUTION_FAILURE); ++ } + free (pushd_directory_list[i]); + directory_list_offset--;