From 73b56521eed5415e99ffdb81375d76a7a40f92d6 Mon Sep 17 00:00:00 2001 From: Ondrej Oprala Date: Wed, 24 Sep 2014 14:10:57 +0200 Subject: [PATCH] Inhibit code injection - patch by Stephane Chazelas --- bash-4.3-cve-2014-6271.patch | 91 ++++++++++++++++++++++++++++++++++++ bash.spec | 8 +++- 2 files changed, 98 insertions(+), 1 deletion(-) create mode 100644 bash-4.3-cve-2014-6271.patch diff --git a/bash-4.3-cve-2014-6271.patch b/bash-4.3-cve-2014-6271.patch new file mode 100644 index 0000000..7859d40 --- /dev/null +++ b/bash-4.3-cve-2014-6271.patch @@ -0,0 +1,91 @@ +*** ../bash-4.3-patched/builtins/common.h 2013-07-08 16:54:47.000000000 -0400 +--- builtins/common.h 2014-09-12 14:25:47.000000000 -0400 +*************** +*** 34,37 **** +--- 49,54 ---- + #define SEVAL_PARSEONLY 0x020 + #define SEVAL_NOLONGJMP 0x040 ++ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ ++ #define SEVAL_ONECMD 0x100 /* only allow a single command */ + + /* Flags for describe_command, shared between type.def and command.def */ +*** ../bash-4.3-patched/builtins/evalstring.c 2014-02-11 09:42:10.000000000 -0500 +--- builtins/evalstring.c 2014-09-14 14:15:13.000000000 -0400 +*************** +*** 309,312 **** +--- 313,324 ---- + struct fd_bitmap *bitmap; + ++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) ++ { ++ internal_warning ("%s: ignoring function definition attempt", from_file); ++ should_jump_to_top_level = 0; ++ last_result = last_command_exit_value = EX_BADUSAGE; ++ break; ++ } ++ + bitmap = new_fd_bitmap (FD_BITMAP_SIZE); + begin_unwind_frame ("pe_dispose"); +*************** +*** 369,372 **** +--- 381,387 ---- + dispose_fd_bitmap (bitmap); + discard_unwind_frame ("pe_dispose"); ++ ++ if (flags & SEVAL_ONECMD) ++ break; + } + } +*** ../bash-4.3-patched/variables.c 2014-05-15 08:26:50.000000000 -0400 +--- variables.c 2014-09-14 14:23:35.000000000 -0400 +*************** +*** 359,369 **** + strcpy (temp_string + char_index + 1, string); + +! if (posixly_correct == 0 || legal_identifier (name)) +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); +! +! /* Ancient backwards compatibility. Old versions of bash exported +! functions like name()=() {...} */ +! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') +! name[char_index - 2] = '\0'; + + if (temp_var = find_function (name)) +--- 364,372 ---- + strcpy (temp_string + char_index + 1, string); + +! /* Don't import function names that are invalid identifiers from the +! environment, though we still allow them to be defined as shell +! variables. */ +! if (legal_identifier (name)) +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + + if (temp_var = find_function (name)) +*************** +*** 382,389 **** + report_error (_("error importing function definition for `%s'"), name); + } +- +- /* ( */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') +- name[char_index - 2] = '('; /* ) */ + } + #if defined (ARRAY_VARS) +--- 385,388 ---- +*** ../bash-4.3-patched/subst.c 2014-08-11 11:16:35.000000000 -0400 +--- subst.c 2014-09-12 15:31:04.000000000 -0400 +*************** +*** 8048,8052 **** + goto return0; + } +! else if (var = find_variable_last_nameref (temp1)) + { + temp = nameref_cell (var); +--- 8118,8124 ---- + goto return0; + } +! else if (var && (invisible_p (var) || var_isset (var) == 0)) +! temp = (char *)NULL; +! else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0) + { + temp = nameref_cell (var); diff --git a/bash.spec b/bash.spec index 4aa9e3e..4a54f9c 100644 --- a/bash.spec +++ b/bash.spec @@ -7,7 +7,7 @@ Version: %{baseversion}%{patchleveltag} Name: bash Summary: The GNU Bourne Again shell -Release: 2%{?dist} +Release: 3%{?dist} Group: System Environment/Shells License: GPLv3+ Url: http://www.gnu.org/software/bash @@ -101,6 +101,8 @@ Patch134: bash-4.3-pathexp-globignore-delim.patch # 1102815 - fix double echoes in vi visual mode Patch135: bash-4.3-noecho.patch +Patch136: bash-4.3-cve-2014-6271.patch + BuildRequires: texinfo bison BuildRequires: ncurses-devel BuildRequires: autoconf, gettext @@ -180,6 +182,7 @@ This package contains documentation files for %{name}. %patch131 -p0 -b .keyword %patch134 -p0 -b .delim %patch135 -p1 -b .noecho +%patch136 -p0 -b .6271 echo %{version} > _distribution echo %{release} > _patchlevel @@ -375,6 +378,9 @@ end %doc doc/*.ps doc/*.0 doc/*.html doc/article.txt %changelog +* Wed Sep 24 2014 Ondrej Oprala - 4.3.22-3 +- Inhibit code injection - patch by Stephane Chazelas + * Fri Aug 15 2014 Fedora Release Engineering - 4.3.22-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild