rpms/bash
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Patchlevel 28

Browse Source
This commit is contained in:
Ondrej Oprala 2014-10-02 12:20:20 +02:00
parent 6319f7c362
commit 70b49a47e3
7 changed files with 2557 additions and 261 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
bash-4.2-cve-2014-7169-0.patch
View File

@ -1,12 +0,0 @@
*** ../bash-20140912/parse.y 2014-08-26 15:09:42.000000000 -0400
--- parse.y 2014-09-24 22:47:28.000000000 -0400
***************
*** 2959,2962 ****
--- 2959,2964 ----
word_desc_to_read = (WORD_DESC *)NULL;
+ eol_ungetc_lookahead = 0;
+
current_token = '\n'; /* XXX */
last_read_token = '\n';

155
bash-4.2-cve-2014-7169-1.patch
View File

@ -1,155 +0,0 @@
--- ../bash-4.2-orig/variables.c 2014-09-25 13:07:59.313209541 +0200
+++ variables.c 2014-09-25 13:15:29.869420719 +0200
@@ -268,7 +268,7 @@
static void propagate_temp_var __P((PTR_T));
static void dispose_temporary_env __P((sh_free_func_t *));
-static inline char *mk_env_string __P((const char *, const char *));
+static inline char *mk_env_string __P((const char *, const char *, int));
static char **make_env_array_from_var_list __P((SHELL_VAR **));
static char **make_var_export_array __P((VAR_CONTEXT *));
static char **make_func_export_array __P((void));
@@ -301,6 +301,14 @@
#endif
}
+/* Prefix and suffix for environment variable names which contain
+ shell functions. */
+#define FUNCDEF_PREFIX "BASH_FUNC_"
+#define FUNCDEF_PREFIX_LEN (strlen (FUNCDEF_PREFIX))
+#define FUNCDEF_SUFFIX "()"
+#define FUNCDEF_SUFFIX_LEN (strlen (FUNCDEF_SUFFIX))
+
+
/* Initialize the shell variables from the current environment.
If PRIVMODE is nonzero, don't import functions from ENV or
parse $SHELLOPTS. */
@@ -338,36 +346,48 @@
/* If exported function, define it now. Don't import functions from
the environment in privileged mode. */
- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
- {
- string_length = strlen (string);
- temp_string = (char *)xmalloc (3 + string_length + char_index);
+ if (privmode == 0 && read_but_dont_execute == 0
+ && STREQN (FUNCDEF_PREFIX, name, FUNCDEF_PREFIX_LEN)
+ && STREQ (name + char_index - FUNCDEF_SUFFIX_LEN, FUNCDEF_SUFFIX)
+ && STREQN ("() {", string, 4))
+ {
+ size_t name_length
+ = char_index - (FUNCDEF_PREFIX_LEN + FUNCDEF_SUFFIX_LEN);
+ char *temp_name = name + FUNCDEF_PREFIX_LEN;
+ /* Temporarily remove the suffix. */
+ temp_name[name_length] = '\0';
- strcpy (temp_string, name);
- temp_string[char_index] = ' ';
- strcpy (temp_string + char_index + 1, string);
+ string_length = strlen (string);
+ temp_string = (char *)xmalloc (name_length + 1 + string_length + 1);
+ memcpy (temp_string, temp_name, name_length);
+ temp_string[name_length] = ' ';
+ memcpy (temp_string + name_length + 1, string, string_length + 1);
/* Don't import function names that are invalid identifiers from the
environment, though we still allow them to be defined as shell
variables. */
- if (legal_identifier (name))
- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+ if (legal_identifier (temp_name))
+ parse_and_execute (temp_string, temp_name,
+ SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
- if (temp_var = find_function (name))
+ if (temp_var = find_function (temp_name))
{
VSETATTR (temp_var, (att_exported|att_imported));
array_needs_making = 1;
}
else
{
if (temp_var = bind_variable (name, string, 0))
{
VSETATTR (temp_var, (att_exported | att_imported | att_invisible));
array_needs_making = 1;
}
last_command_exit_value = 1;
report_error (_("error importing function definition for `%s'"), name);
}
+
+ /* Restore the original suffix. */
+ temp_name[name_length] = FUNCDEF_SUFFIX[0];
}
#if defined (ARRAY_VARS)
# if ARRAY_EXPORT
@@ -2537,7 +2557,7 @@
var->context = variable_context; /* XXX */
INVALIDATE_EXPORTSTR (var);
- var->exportstr = mk_env_string (name, value);
+ var->exportstr = mk_env_string (name, value, 0);
array_needs_making = 1;
@@ -3388,22 +3408,43 @@
/* */
/* **************************************************************** */
+/* Returns the string NAME=VALUE if !FUNCTIONP or if VALUE == NULL (in
+ which case it is treated as empty). Otherwise, decorate NAME with
+ FUNCDEF_PREFIX and FUNCDEF_SUFFIX, and return a string of the form
+ FUNCDEF_PREFIX NAME FUNCDEF_SUFFIX = VALUE (without spaces). */
static inline char *
-mk_env_string (name, value)
+mk_env_string (name, value, functionp)
const char *name, *value;
+ int functionp;
{
- int name_len, value_len;
- char *p;
+ size_t name_len, value_len;
+ char *p, *q;
name_len = strlen (name);
value_len = STRLEN (value);
- p = (char *)xmalloc (2 + name_len + value_len);
- strcpy (p, name);
- p[name_len] = '=';
+ if (functionp && value != NULL)
+ {
+ p = (char *)xmalloc (FUNCDEF_PREFIX_LEN + name_len + FUNCDEF_SUFFIX_LEN
+ + 1 + value_len + 1);
+ q = p;
+ memcpy (q, FUNCDEF_PREFIX, FUNCDEF_PREFIX_LEN);
+ q += FUNCDEF_PREFIX_LEN;
+ memcpy (q, name, name_len);
+ q += name_len;
+ memcpy (q, FUNCDEF_SUFFIX, FUNCDEF_SUFFIX_LEN);
+ q += FUNCDEF_SUFFIX_LEN;
+ }
+ else
+ {
+ p = (char *)xmalloc (name_len + 1 + value_len + 1);
+ memcpy (p, name, name_len);
+ q = p + name_len;
+ }
+ q[0] = '=';
if (value && *value)
- strcpy (p + name_len + 1, value);
+ memcpy (q + 1, value, value_len + 1);
else
- p[name_len + 1] = '\0';
+ q[1] = '\0';
return (p);
}
@@ -3489,7 +3530,7 @@
/* Gee, I'd like to get away with not using savestring() if we're
using the cached exportstr... */
list[list_index] = USE_EXPORTSTR ? savestring (value)
- : mk_env_string (var->name, value);
+ : mk_env_string (var->name, value, function_p (var));
if (USE_EXPORTSTR == 0)
SAVE_EXPORTSTR (var, list[list_index]);

83
bash-4.2-cve-2014-7169-2.patch
View File

@ -1,83 +0,0 @@
--- ../bash-4.2-orig/parse.y 2014-09-25 13:07:59.218209276 +0200
+++ parse.y 2014-09-25 15:26:52.813159810 +0200
@@ -264,9 +264,21 @@
/* Variables to manage the task of reading here documents, because we need to
defer the reading until after a complete command has been collected. */
-static REDIRECT *redir_stack[10];
+static REDIRECT **redir_stack;
int need_here_doc;
+/* Pushes REDIR onto redir_stack, resizing it as needed. */
+static void
+push_redir_stack (REDIRECT *redir)
+{
+ /* Guard against oveflow. */
+ if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack))
+ abort ();
+ redir_stack = xrealloc (redir_stack,
+ (need_here_doc + 1) * sizeof (*redir_stack));
+ redir_stack[need_here_doc++] = redir;
+}
+
/* Where shell input comes from. History expansion is performed on each
line when the shell is interactive. */
static char *shell_input_line = (char *)NULL;
@@ -519,42 +531,42 @@
source.dest = 0;
redir.filename = $2;
$$ = make_redirection (source, r_reading_until, redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| NUMBER LESS_LESS WORD
{
source.dest = $1;
redir.filename = $3;
$$ = make_redirection (source, r_reading_until, redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| REDIR_WORD LESS_LESS WORD
{
source.filename = $1;
redir.filename = $3;
$$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| LESS_LESS_MINUS WORD
{
source.dest = 0;
redir.filename = $2;
$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| NUMBER LESS_LESS_MINUS WORD
{
source.dest = $1;
redir.filename = $3;
$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| REDIR_WORD LESS_LESS_MINUS WORD
{
source.filename = $1;
redir.filename = $3;
$$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
- redir_stack[need_here_doc++] = $$;
+ push_redir_stack ($$);
}
| LESS_LESS_LESS WORD
{
@@ -4757,7 +4769,7 @@
case CASE:
case SELECT:
case FOR:
- if (word_top < MAX_CASE_NEST)
+ if (word_top + 1 < MAX_CASE_NEST)
word_top++;
word_lineno[word_top] = line_number;
break;

22
bash.spec
View File

@ -1,5 +1,5 @@
#% define beta_tag rc2
%define patchleveltag .25
%define patchleveltag .28
%define baseversion 4.3
%bcond_without tests
%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
@ -7,7 +7,7 @@
Version: %{baseversion}%{patchleveltag}
Name: bash
Summary: The GNU Bourne Again shell
Release: 2%{?dist}
Release: 1%{?dist}
Group: System Environment/Shells
License: GPLv3+
Url: http://www.gnu.org/software/bash
@ -46,6 +46,9 @@ Patch022: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-022
Patch023: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-023
Patch024: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-024
Patch025: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025
Patch026: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026
Patch027: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027
Patch028: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-028
# Other patches
Patch101: bash-2.02-security.patch
@ -103,12 +106,6 @@ Patch134: bash-4.3-pathexp-globignore-delim.patch
# 1102815 - fix double echoes in vi visual mode
Patch135: bash-4.3-noecho.patch
# 1146319 - cve-2014-7169
Patch136: bash-4.2-cve-2014-7169-0.patch
Patch137: bash-4.2-cve-2014-7169-1.patch
Patch138: bash-4.2-cve-2014-7169-2.patch
BuildRequires: texinfo bison
BuildRequires: ncurses-devel
BuildRequires: autoconf, gettext
@ -160,6 +157,9 @@ This package contains documentation files for %{name}.
%patch023 -p0 -b .023
%patch024 -p0 -b .024
%patch025 -p0 -b .025
%patch026 -p0 -b .026
%patch027 -p0 -b .027
%patch028 -p0 -b .028
# Other patches
%patch101 -p1 -b .security
@ -190,9 +190,6 @@ This package contains documentation files for %{name}.
%patch131 -p0 -b .keyword
%patch134 -p0 -b .delim
%patch135 -p1 -b .noecho
%patch136 -p0 -b .7169-0
%patch137 -p0 -b .7169-1
%patch138 -p0 -b .7169-2
echo %{version} > _distribution
echo %{release} > _patchlevel
@ -388,6 +385,9 @@ end
%doc doc/*.ps doc/*.0 doc/*.html doc/article.txt
%changelog
* Thu Oct 02 2014 Ondrej Oprala <ooprala@redhat.com> - 4.3.28-1
- Patchlevel 28
* Thu Sep 25 2014 Ondrej Oprala <ooprala@redhat.com> - 4.3.25-2
- CVE-2014-7169
Resolves: #1146319

60
bash43-026 Normal file
View File

@ -0,0 +1,60 @@
BASH PATCH REPORT
=================
Bash-Release: 4.3
Patch-ID: bash43-026
Bug-Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Bug-Reference-ID:
Bug-Reference-URL: http://twitter.com/taviso/statuses/514887394294652929
Bug-Description:
Under certain circumstances, bash can incorrectly save a lookahead character and
return it on a subsequent call, even when reading a new line.
Patch (apply with `patch -p0'):
*** ../bash-4.3.25/parse.y 2014-07-30 10:14:31.000000000 -0400
--- parse.y 2014-09-25 20:20:21.000000000 -0400
***************
*** 2954,2957 ****
--- 2954,2959 ----
word_desc_to_read = (WORD_DESC *)NULL;
+ eol_ungetc_lookahead = 0;
+
current_token = '\n'; /* XXX */
last_read_token = '\n';
*** ../bash-4.3.25/y.tab.c 2014-07-30 10:14:32.000000000 -0400
--- y.tab.c 2014-09-25 20:21:48.000000000 -0400
***************
*** 5266,5269 ****
--- 5266,5271 ----
word_desc_to_read = (WORD_DESC *)NULL;
+ eol_ungetc_lookahead = 0;
+
current_token = '\n'; /* XXX */
last_read_token = '\n';
***************
*** 8540,8542 ****
}
#endif /* HANDLE_MULTIBYTE */
-
--- 8542,8543 ----
*** ../bash-4.3/patchlevel.h 2012-12-29 10:47:57.000000000 -0500
--- patchlevel.h 2014-03-20 20:01:28.000000000 -0400
***************
*** 26,30 ****
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 25
#endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 26
#endif /* _PATCHLEVEL_H_ */

221
bash43-027 Normal file
View File

@ -0,0 +1,221 @@
BASH PATCH REPORT
=================
Bash-Release: 4.3
Patch-ID: bash43-027
Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
Bug-Reference-ID:
Bug-Reference-URL:
Bug-Description:
This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function.
Patch (apply with `patch -p0'):
*** ../bash-4.3.26/variables.c 2014-09-25 23:02:18.000000000 -0400
--- variables.c 2014-09-27 20:52:04.000000000 -0400
***************
*** 84,87 ****
--- 84,92 ----
#define ifsname(s) ((s)[0] == 'I' && (s)[1] == 'F' && (s)[2] == 'S' && (s)[3] == '\0')
+ #define BASHFUNC_PREFIX "BASH_FUNC_"
+ #define BASHFUNC_PREFLEN 10 /* == strlen(BASHFUNC_PREFIX */
+ #define BASHFUNC_SUFFIX "%%"
+ #define BASHFUNC_SUFFLEN 2 /* == strlen(BASHFUNC_SUFFIX) */
+
extern char **environ;
***************
*** 280,284 ****
static void dispose_temporary_env __P((sh_free_func_t *));
! static inline char *mk_env_string __P((const char *, const char *));
static char **make_env_array_from_var_list __P((SHELL_VAR **));
static char **make_var_export_array __P((VAR_CONTEXT *));
--- 285,289 ----
static void dispose_temporary_env __P((sh_free_func_t *));
! static inline char *mk_env_string __P((const char *, const char *, int));
static char **make_env_array_from_var_list __P((SHELL_VAR **));
static char **make_var_export_array __P((VAR_CONTEXT *));
***************
*** 350,369 ****
/* If exported function, define it now. Don't import functions from
the environment in privileged mode. */
! if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
{
string_length = strlen (string);
! temp_string = (char *)xmalloc (3 + string_length + char_index);
! strcpy (temp_string, name);
! temp_string[char_index] = ' ';
! strcpy (temp_string + char_index + 1, string);
/* Don't import function names that are invalid identifiers from the
environment, though we still allow them to be defined as shell
variables. */
! if (legal_identifier (name))
! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
! if (temp_var = find_function (name))
{
VSETATTR (temp_var, (att_exported|att_imported));
--- 355,385 ----
/* If exported function, define it now. Don't import functions from
the environment in privileged mode. */
! if (privmode == 0 && read_but_dont_execute == 0 &&
! STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) &&
! STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) &&
! STREQN ("() {", string, 4))
{
+ size_t namelen;
+ char *tname; /* desired imported function name */
+
+ namelen = char_index - BASHFUNC_PREFLEN - BASHFUNC_SUFFLEN;
+
+ tname = name + BASHFUNC_PREFLEN; /* start of func name */
+ tname[namelen] = '\0'; /* now tname == func name */
+
string_length = strlen (string);
! temp_string = (char *)xmalloc (namelen + string_length + 2);
! memcpy (temp_string, tname, namelen);
! temp_string[namelen] = ' ';
! memcpy (temp_string + namelen + 1, string, string_length + 1);
/* Don't import function names that are invalid identifiers from the
environment, though we still allow them to be defined as shell
variables. */
! if (absolute_program (tname) == 0 && (posixly_correct == 0 || legal_identifier (tname)))
! parse_and_execute (temp_string, tname, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
! if (temp_var = find_function (tname))
{
VSETATTR (temp_var, (att_exported|att_imported));
***************
*** 378,383 ****
}
last_command_exit_value = 1;
! report_error (_("error importing function definition for `%s'"), name);
}
}
#if defined (ARRAY_VARS)
--- 394,402 ----
}
last_command_exit_value = 1;
! report_error (_("error importing function definition for `%s'"), tname);
}
+
+ /* Restore original suffix */
+ tname[namelen] = BASHFUNC_SUFFIX[0];
}
#if defined (ARRAY_VARS)
***************
*** 2955,2959 ****
INVALIDATE_EXPORTSTR (var);
! var->exportstr = mk_env_string (name, value);
array_needs_making = 1;
--- 2974,2978 ----
INVALIDATE_EXPORTSTR (var);
! var->exportstr = mk_env_string (name, value, 0);
array_needs_making = 1;
***************
*** 3853,3871 ****
static inline char *
! mk_env_string (name, value)
const char *name, *value;
{
! int name_len, value_len;
! char *p;
name_len = strlen (name);
value_len = STRLEN (value);
! p = (char *)xmalloc (2 + name_len + value_len);
! strcpy (p, name);
! p[name_len] = '=';
if (value && *value)
! strcpy (p + name_len + 1, value);
else
! p[name_len + 1] = '\0';
return (p);
}
--- 3872,3911 ----
static inline char *
! mk_env_string (name, value, isfunc)
const char *name, *value;
+ int isfunc;
{
! size_t name_len, value_len;
! char *p, *q;
name_len = strlen (name);
value_len = STRLEN (value);
!
! /* If we are exporting a shell function, construct the encoded function
! name. */
! if (isfunc && value)
! {
! p = (char *)xmalloc (BASHFUNC_PREFLEN + name_len + BASHFUNC_SUFFLEN + value_len + 2);
! q = p;
! memcpy (q, BASHFUNC_PREFIX, BASHFUNC_PREFLEN);
! q += BASHFUNC_PREFLEN;
! memcpy (q, name, name_len);
! q += name_len;
! memcpy (q, BASHFUNC_SUFFIX, BASHFUNC_SUFFLEN);
! q += BASHFUNC_SUFFLEN;
! }
! else
! {
! p = (char *)xmalloc (2 + name_len + value_len);
! memcpy (p, name, name_len);
! q = p + name_len;
! }
!
! q[0] = '=';
if (value && *value)
! memcpy (q + 1, value, value_len + 1);
else
! q[1] = '\0';
!
return (p);
}
***************
*** 3953,3957 ****
using the cached exportstr... */
list[list_index] = USE_EXPORTSTR ? savestring (value)
! : mk_env_string (var->name, value);
if (USE_EXPORTSTR == 0)
--- 3993,3997 ----
using the cached exportstr... */
list[list_index] = USE_EXPORTSTR ? savestring (value)
! : mk_env_string (var->name, value, function_p (var));
if (USE_EXPORTSTR == 0)
*** ../bash-4.3/patchlevel.h 2012-12-29 10:47:57.000000000 -0500
--- patchlevel.h 2014-03-20 20:01:28.000000000 -0400
***************
*** 26,30 ****
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 26
#endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 27
#endif /* _PATCHLEVEL_H_ */

2265
bash43-028 Normal file
View File

File diff suppressed because it is too large Load Diff