From 457649ce620c6f1450346c2261507581ee9b1411 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 18 May 2021 02:38:36 -0400 Subject: [PATCH] import bash-4.4.19-14.el8 --- SOURCES/bash-5.0-bgp-resize.patch | 95 +++++++++++++++++++++++++ SOURCES/bash-5.0-cve-2019-18276-2.patch | 41 +++++++++++ SPECS/bash.spec | 15 +++- 3 files changed, 150 insertions(+), 1 deletion(-) create mode 100644 SOURCES/bash-5.0-bgp-resize.patch create mode 100644 SOURCES/bash-5.0-cve-2019-18276-2.patch diff --git a/SOURCES/bash-5.0-bgp-resize.patch b/SOURCES/bash-5.0-bgp-resize.patch new file mode 100644 index 0000000..1a3f288 --- /dev/null +++ b/SOURCES/bash-5.0-bgp-resize.patch @@ -0,0 +1,95 @@ +diff --git a/include/typemax.h b/include/typemax.h +--- a/include/typemax.h ++++ b/include/typemax.h +@@ -35,14 +35,23 @@ + # define TYPE_SIGNED(t) (! ((t) 0 < (t) -1)) + #endif + ++#ifndef TYPE_SIGNED_MAGNITUDE ++# define TYPE_SIGNED_MAGNITUDE(t) ((t) ~ (t) 0 < (t) -1) ++#endif ++ ++#ifndef TYPE_WIDTH ++# define TYPE_WIDTH(t) (sizeof (t) * CHAR_BIT) ++#endif ++ + #ifndef TYPE_MINIMUM +-# define TYPE_MINIMUM(t) ((t) (TYPE_SIGNED (t) \ +- ? ~ (t) 0 << (sizeof (t) * CHAR_BIT - 1) \ +- : (t) 0)) ++# define TYPE_MINIMUM(t) ((t) ~ TYPE_MAXIMUM (t)) + #endif + + #ifndef TYPE_MAXIMUM +-# define TYPE_MAXIMUM(t) ((t) (~ (t) 0 - TYPE_MINIMUM (t))) ++# define TYPE_MAXIMUM(t) \ ++ ((t) (! TYPE_SIGNED (t) \ ++ ? (t) -1 \ ++ : ((((t) 1 << (TYPE_WIDTH (t) - 2)) - 1) * 2 + 1))) + #endif + + #ifdef HAVE_LONG_LONG +diff --git a/jobs.c b/jobs.c +--- a/jobs.c ++++ b/jobs.c +@@ -72,6 +72,8 @@ + #include "execute_cmd.h" + #include "flags.h" + ++#include "typemax.h" ++ + #include "builtins/builtext.h" + #include "builtins/common.h" + +@@ -92,7 +94,7 @@ extern int killpg __P((pid_t, int)); + #endif + + #if !MAX_CHILD_MAX +-# define MAX_CHILD_MAX 8192 ++# define MAX_CHILD_MAX 32768 + #endif + + #if !defined (DEBUG) +@@ -751,7 +753,7 @@ stop_pipeline (async, deferred) + static void + bgp_resize () + { +- ps_index_t nsize; ++ ps_index_t nsize, nsize_cur, nsize_max; + ps_index_t psi; + + if (bgpids.nalloc == 0) +@@ -765,11 +767,20 @@ bgp_resize () + else + nsize = bgpids.nalloc; + +- while (nsize < js.c_childmax) +- nsize *= 2; ++ nsize_max = TYPE_MAXIMUM (ps_index_t); ++ nsize_cur = (ps_index_t)js.c_childmax; ++ if (nsize_cur < 0) /* overflow */ ++ nsize_cur = MAX_CHILD_MAX; + +- if (bgpids.nalloc < js.c_childmax) +- { ++ while (nsize > 0 && nsize < nsize_cur) /* > 0 should catch overflow */ ++ nsize <<= 1; ++ if (nsize > nsize_max || nsize <= 0) /* overflow? */ ++ nsize = nsize_max; ++ if (nsize > MAX_CHILD_MAX) ++ nsize = nsize_max = MAX_CHILD_MAX; /* hard cap */ ++ ++ if (bgpids.nalloc < nsize_cur && bgpids.nalloc < nsize_max) ++ { + bgpids.storage = (struct pidstat *)xrealloc (bgpids.storage, nsize * sizeof (struct pidstat)); + + for (psi = bgpids.nalloc; psi < nsize; psi++) +@@ -787,7 +798,7 @@ bgp_getindex () + { + ps_index_t psi; + +- if (bgpids.nalloc < js.c_childmax || bgpids.head >= bgpids.nalloc) ++ if (bgpids.nalloc < (ps_index_t)js.c_childmax || bgpids.head >= bgpids.nalloc) + bgp_resize (); + + pshash_delindex (bgpids.head); /* XXX - clear before reusing */ diff --git a/SOURCES/bash-5.0-cve-2019-18276-2.patch b/SOURCES/bash-5.0-cve-2019-18276-2.patch new file mode 100644 index 0000000..ff911e3 --- /dev/null +++ b/SOURCES/bash-5.0-cve-2019-18276-2.patch @@ -0,0 +1,41 @@ +diff --git a/configure.ac b/configure.ac +index e5162c4..b82a33b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -799,10 +799,13 @@ AC_CHECK_DECLS([confstr]) + AC_CHECK_DECLS([printf]) + AC_CHECK_DECLS([sbrk]) + AC_CHECK_DECLS([setregid]) +-AC_CHECK_DECLS[(setresuid, setresgid]) ++dnl AC_CHECK_DECLS[(setresuid]) ++dnl AC_CHECK_DECLS[(setresgid]) + AC_CHECK_DECLS([strcpy]) + AC_CHECK_DECLS([strsignal]) + ++AC_CHECK_FUNCS(setresuid setresgid) ++ + dnl Extra test to detect the horribly broken HP/UX 11.00 strtold(3) + AC_CHECK_DECLS([strtold], [ + AC_MSG_CHECKING([for broken strtold]) +diff --git a/shell.c b/shell.c +index 484d8a9..5c24922 100644 +--- a/shell.c ++++ b/shell.c +@@ -1286,7 +1286,7 @@ disable_priv_mode () + { + int e; + +-#if HAVE_DECL_SETRESUID ++#if HAVE_SETRESUID + if (setresuid (current_user.uid, current_user.uid, current_user.uid) < 0) + #else + if (setuid (current_user.uid) < 0) +@@ -1299,7 +1299,7 @@ disable_priv_mode () + exit (e); + #endif + } +-#if HAVE_DECL_SETRESGID ++#if HAVE_SETRESGID + if (setresgid (current_user.gid, current_user.gid, current_user.gid) < 0) + #else + if (setgid (current_user.gid) < 0) diff --git a/SPECS/bash.spec b/SPECS/bash.spec index cac1224..5f7e672 100644 --- a/SPECS/bash.spec +++ b/SPECS/bash.spec @@ -7,7 +7,7 @@ Version: %{baseversion}%{patchleveltag} Name: bash Summary: The GNU Bourne Again shell -Release: 12%{?dist} +Release: 14%{?dist} License: GPLv3+ Url: https://www.gnu.org/software/bash Source0: https://ftp.gnu.org/gnu/bash/bash-%{baseversion}.tar.gz @@ -106,6 +106,11 @@ Patch134: bash-5.0-shellpid-subshell.patch # 1793943 - CVE-2019-18276: when effective UID is not equal to its real UID the saved UID is # not dropped Patch135: bash-5.0-cve-2019-18276.patch +Patch136: bash-5.0-cve-2019-18276-2.patch + +# 1890888 - Took long time to return when bash -c 'exit 2 & wait $!' run in the big size LimitNPROC +# values +Patch137: bash-5.0-bgp-resize.patch BuildRequires: texinfo bison BuildRequires: ncurses-devel @@ -330,6 +335,14 @@ end %{_libdir}/pkgconfig/%{name}.pc %changelog +* Wed Nov 04 2020 Siteshwar Vashisht - 4.4.19-14 +- Fix hang when limit for nproc is very high + Resolves: #1890888 + +* Fri Oct 09 2020 Siteshwar Vashisht - 4.4.19-13 +- Correctly drop saved UID when effective UID is not equal to its real UID + Resolves: #1793943 + * Mon Jun 22 2020 Siteshwar Vashisht - 4.4.19-12 - Avoid duplicating user path entries Resolves: #1667008