rpms/bash
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Inhibit code injection - patch by Stephane Chazelas

Browse Source
This commit is contained in:
Ondrej Oprala 2014-09-24 14:10:57 +02:00
parent 6faef2fd94
commit 74d1c2ed79
2 changed files with 98 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
bash-4.3-cve-2014-6271.patch Normal file
View File

@ -0,0 +1,91 @@
*** ../bash-4.3-patched/builtins/common.h 2013-07-08 16:54:47.000000000 -0400
--- builtins/common.h 2014-09-12 14:25:47.000000000 -0400
***************
*** 34,37 ****
--- 49,54 ----
#define SEVAL_PARSEONLY 0x020
#define SEVAL_NOLONGJMP 0x040
+ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
+ #define SEVAL_ONECMD 0x100 /* only allow a single command */
/* Flags for describe_command, shared between type.def and command.def */
*** ../bash-4.3-patched/builtins/evalstring.c 2014-02-11 09:42:10.000000000 -0500
--- builtins/evalstring.c 2014-09-14 14:15:13.000000000 -0400
***************
*** 309,312 ****
--- 313,324 ----
struct fd_bitmap *bitmap;
+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+ {
+ internal_warning ("%s: ignoring function definition attempt", from_file);
+ should_jump_to_top_level = 0;
+ last_result = last_command_exit_value = EX_BADUSAGE;
+ break;
+ }
+
bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
begin_unwind_frame ("pe_dispose");
***************
*** 369,372 ****
--- 381,387 ----
dispose_fd_bitmap (bitmap);
discard_unwind_frame ("pe_dispose");
+
+ if (flags & SEVAL_ONECMD)
+ break;
}
}
*** ../bash-4.3-patched/variables.c 2014-05-15 08:26:50.000000000 -0400
--- variables.c 2014-09-14 14:23:35.000000000 -0400
***************
*** 359,369 ****
strcpy (temp_string + char_index + 1, string);
! if (posixly_correct == 0 || legal_identifier (name))
! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
!
! /* Ancient backwards compatibility. Old versions of bash exported
! functions like name()=() {...} */
! if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
! name[char_index - 2] = '\0';
if (temp_var = find_function (name))
--- 364,372 ----
strcpy (temp_string + char_index + 1, string);
! /* Don't import function names that are invalid identifiers from the
! environment, though we still allow them to be defined as shell
! variables. */
! if (legal_identifier (name))
! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
if (temp_var = find_function (name))
***************
*** 382,389 ****
report_error (_("error importing function definition for `%s'"), name);
}
-
- /* ( */
- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
- name[char_index - 2] = '('; /* ) */
}
#if defined (ARRAY_VARS)
--- 385,388 ----
*** ../bash-4.3-patched/subst.c 2014-08-11 11:16:35.000000000 -0400
--- subst.c 2014-09-12 15:31:04.000000000 -0400
***************
*** 8048,8052 ****
goto return0;
}
! else if (var = find_variable_last_nameref (temp1))
{
temp = nameref_cell (var);
--- 8118,8124 ----
goto return0;
}
! else if (var && (invisible_p (var) || var_isset (var) == 0))
! temp = (char *)NULL;
! else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
{
temp = nameref_cell (var);

8
bash.spec
View File

@ -7,7 +7,7 @@
Version: %{baseversion}%{patchleveltag} Version: %{baseversion}%{patchleveltag}
Name: bash Name: bash
Summary: The GNU Bourne Again shell Summary: The GNU Bourne Again shell
Release: 1%{?dist} Release: 2%{?dist}
Group: System Environment/Shells Group: System Environment/Shells
License: GPLv3+ License: GPLv3+
Url: http://www.gnu.org/software/bash Url: http://www.gnu.org/software/bash
@ -102,6 +102,8 @@ Patch134: bash-4.3-pathexp-globignore-delim.patch
# 1102815 - fix double echoes in vi visual mode # 1102815 - fix double echoes in vi visual mode
Patch135: bash-4.3-noecho.patch Patch135: bash-4.3-noecho.patch
Patch136: bash-4.3-cve-2014-6271.patch
BuildRequires: texinfo bison BuildRequires: texinfo bison
BuildRequires: ncurses-devel BuildRequires: ncurses-devel
BuildRequires: autoconf, gettext BuildRequires: autoconf, gettext
@ -182,6 +184,7 @@ This package contains documentation files for %{name}.
%patch131 -p0 -b .keyword %patch131 -p0 -b .keyword
%patch134 -p0 -b .delim %patch134 -p0 -b .delim
%patch135 -p1 -b .noecho %patch135 -p1 -b .noecho
%patch136 -p0 -b .6271
echo %{version} > _distribution echo %{version} > _distribution
echo %{release} > _patchlevel echo %{release} > _patchlevel
@ -377,6 +380,9 @@ end
%doc doc/*.ps doc/*.0 doc/*.html doc/article.txt %doc doc/*.ps doc/*.0 doc/*.html doc/article.txt
%changelog %changelog
* Wed Sep 24 2014 Ondrej Oprala <ooprala@redhat.com> - 4.3.24-2
- Inhibit code injection - patch by Stephane Chazelas
* Wed Aug 20 2014 Ondrej Oprala <ooprala@redhat.com> - 4.3.24-1 * Wed Aug 20 2014 Ondrej Oprala <ooprala@redhat.com> - 4.3.24-1
- Patchlevel 24 - Patchlevel 24