bash/bash43-030

			     BASH PATCH REPORT
			     =================

Bash-Release:	4.3
Patch-ID:	bash43-030

Bug-Reported-by:	Michal Zalewski <lcamtuf@coredump.cx>
Bug-Reference-ID:
Bug-Reference-URL:

Bug-Description:

A combination of nested command substitutions and function importing from
the environment can cause bash to execute code appearing in the environment
variable value following the function definition.

Patch (apply with `patch -p0'):

*** ../bash-4.3.29/builtins/evalstring.c	2014-10-01 12:57:47.000000000 -0400
--- builtins/evalstring.c	2014-10-03 11:57:04.000000000 -0400
***************
*** 309,318 ****
  	      struct fd_bitmap *bitmap;
  
! 	      if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
  		{
! 		  internal_warning ("%s: ignoring function definition attempt", from_file);
! 		  should_jump_to_top_level = 0;
! 		  last_result = last_command_exit_value = EX_BADUSAGE;
! 		  break;
  		}
  
--- 313,335 ----
  	      struct fd_bitmap *bitmap;
  
! 	      if (flags & SEVAL_FUNCDEF)
  		{
! 		  char *x;
! 
! 		  /* If the command parses to something other than a straight
! 		     function definition, or if we have not consumed the entire
! 		     string, or if the parser has transformed the function
! 		     name (as parsing will if it begins or ends with shell
! 		     whitespace, for example), reject the attempt */
! 		  if (command->type != cm_function_def ||
! 		      ((x = parser_remaining_input ()) && *x) ||
! 		      (STREQ (from_file, command->value.Function_def->name->word) == 0))
! 		    {
! 		      internal_warning (_("%s: ignoring function definition attempt"), from_file);
! 		      should_jump_to_top_level = 0;
! 		      last_result = last_command_exit_value = EX_BADUSAGE;
! 		      reset_parser ();
! 		      break;
! 		    }
  		}
  
***************
*** 379,383 ****
  
  	      if (flags & SEVAL_ONECMD)
! 		break;
  	    }
  	}
--- 396,403 ----
  
  	      if (flags & SEVAL_ONECMD)
! 		{
! 		  reset_parser ();
! 		  break;
! 		}
  	    }
  	}
*** ../bash-4.3.29/parse.y	2014-10-01 12:58:43.000000000 -0400
--- parse.y	2014-10-03 14:48:59.000000000 -0400
***************
*** 2539,2542 ****
--- 2539,2552 ----
  }
  
+ char *
+ parser_remaining_input ()
+ {
+   if (shell_input_line == 0)
+     return 0;
+   if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)
+     return '\0';	/* XXX */
+   return (shell_input_line + shell_input_line_index);
+ }
+ 
  #ifdef INCLUDE_UNUSED
  /* Back the input pointer up by one, effectively `ungetting' a character. */
***************
*** 4028,4033 ****
    /* reset_parser clears shell_input_line and associated variables */
    restore_input_line_state (&ls);
!   if (interactive)
!     token_to_read = 0;
  
    /* Need to find how many characters parse_and_execute consumed, update
--- 4053,4058 ----
    /* reset_parser clears shell_input_line and associated variables */
    restore_input_line_state (&ls);
! 
!   token_to_read = 0;
  
    /* Need to find how many characters parse_and_execute consumed, update
*** ../bash-4.3.29/shell.h	2014-10-01 12:57:39.000000000 -0400
--- shell.h	2014-10-03 14:49:12.000000000 -0400
***************
*** 181,184 ****
--- 181,186 ----
  
  /* Let's try declaring these here. */
+ extern char *parser_remaining_input __P((void));
+ 
  extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));
  extern void restore_parser_state __P((sh_parser_state_t *));
*** ../bash-4.3/patchlevel.h	2012-12-29 10:47:57.000000000 -0500
--- patchlevel.h	2014-03-20 20:01:28.000000000 -0400
***************
*** 26,30 ****
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 29
  
  #endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 30
  
  #endif /* _PATCHLEVEL_H_ */
Patchlevel 30 2014-10-06 05:06:32 +00:00			`BASH PATCH REPORT`
			`=================`

			`Bash-Release: 4.3`
			`Patch-ID: bash43-030`

			`Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>`
			`Bug-Reference-ID:`
			`Bug-Reference-URL:`

			`Bug-Description:`

			`A combination of nested command substitutions and function importing from`
			`the environment can cause bash to execute code appearing in the environment`
			`variable value following the function definition.`

			Patch (apply with `patch -p0'):

			`*** ../bash-4.3.29/builtins/evalstring.c 2014-10-01 12:57:47.000000000 -0400`
			`--- builtins/evalstring.c 2014-10-03 11:57:04.000000000 -0400`
			`***************`
			`* 309,318 **`
			`struct fd_bitmap *bitmap;`

			`! if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)`
			`{`
			`! internal_warning ("%s: ignoring function definition attempt", from_file);`
			`! should_jump_to_top_level = 0;`
			`! last_result = last_command_exit_value = EX_BADUSAGE;`
			`! break;`
			`}`

			`--- 313,335 ----`
			`struct fd_bitmap *bitmap;`

			`! if (flags & SEVAL_FUNCDEF)`
			`{`
			`! char *x;`
			`!`
			`! /* If the command parses to something other than a straight`
			`! function definition, or if we have not consumed the entire`
			`! string, or if the parser has transformed the function`
			`! name (as parsing will if it begins or ends with shell`
			`! whitespace, for example), reject the attempt */`
			`! if (command->type != cm_function_def \|\|`
			`! ((x = parser_remaining_input ()) && *x) \|\|`
			`! (STREQ (from_file, command->value.Function_def->name->word) == 0))`
			`! {`
			`! internal_warning (_("%s: ignoring function definition attempt"), from_file);`
			`! should_jump_to_top_level = 0;`
			`! last_result = last_command_exit_value = EX_BADUSAGE;`
			`! reset_parser ();`
			`! break;`
			`! }`
			`}`

			`***************`
			`* 379,383 **`

			`if (flags & SEVAL_ONECMD)`
			`! break;`
			`}`
			`}`
			`--- 396,403 ----`

			`if (flags & SEVAL_ONECMD)`
			`! {`
			`! reset_parser ();`
			`! break;`
			`! }`
			`}`
			`}`
			`*** ../bash-4.3.29/parse.y 2014-10-01 12:58:43.000000000 -0400`
			`--- parse.y 2014-10-03 14:48:59.000000000 -0400`
			`***************`
			`* 2539,2542 **`
			`--- 2539,2552 ----`
			`}`

			`+ char *`
			`+ parser_remaining_input ()`
			`+ {`
			`+ if (shell_input_line == 0)`
			`+ return 0;`
			`+ if (shell_input_line_index < 0 \|\| shell_input_line_index >= shell_input_line_len)`
			`+ return '\0'; /* XXX */`
			`+ return (shell_input_line + shell_input_line_index);`
			`+ }`
			`+`
			`#ifdef INCLUDE_UNUSED`
			/* Back the input pointer up by one, effectively `ungetting' a character. */
			`***************`
			`* 4028,4033 **`
			`/* reset_parser clears shell_input_line and associated variables */`
			`restore_input_line_state (&ls);`
			`! if (interactive)`
			`! token_to_read = 0;`

			`/* Need to find how many characters parse_and_execute consumed, update`
			`--- 4053,4058 ----`
			`/* reset_parser clears shell_input_line and associated variables */`
			`restore_input_line_state (&ls);`
			`!`
			`! token_to_read = 0;`

			`/* Need to find how many characters parse_and_execute consumed, update`
			`*** ../bash-4.3.29/shell.h 2014-10-01 12:57:39.000000000 -0400`
			`--- shell.h 2014-10-03 14:49:12.000000000 -0400`
			`***************`
			`* 181,184 **`
			`--- 181,186 ----`

			`/* Let's try declaring these here. */`
			`+ extern char *parser_remaining_input __P((void));`
			`+`
			`extern sh_parser_state_t save_parser_state __P((sh_parser_state_t ));`
			`extern void restore_parser_state __P((sh_parser_state_t *));`
			`*** ../bash-4.3/patchlevel.h 2012-12-29 10:47:57.000000000 -0500`
			`--- patchlevel.h 2014-03-20 20:01:28.000000000 -0400`
			`***************`
			`* 26,30 **`
			`looks for to find the patch level (for the sccs version string). */`

			`! #define PATCHLEVEL 29`

			`#endif /* _PATCHLEVEL_H_ */`
			`--- 26,30 ----`
			`looks for to find the patch level (for the sccs version string). */`

			`! #define PATCHLEVEL 30`

			`#endif /* _PATCHLEVEL_H_ */`