From 7c25b00c2a8d5ab601e06628bdd5caf092c46196 Mon Sep 17 00:00:00 2001 From: Siteshwar Vashisht Date: Tue, 22 Nov 2022 14:05:54 +0100 Subject: [PATCH] Add a null check in parameter_brace_transform() function Resolves: CVE-2022-3715 --- bash-5.2-check-xform.patch | 12 ++++++++++++ bash.spec | 9 ++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 bash-5.2-check-xform.patch diff --git a/bash-5.2-check-xform.patch b/bash-5.2-check-xform.patch new file mode 100644 index 0000000..5f9f89a --- /dev/null +++ b/bash-5.2-check-xform.patch @@ -0,0 +1,12 @@ +diff --git a/subst.c b/subst.c +--- a/subst.c ++++ b/subst.c +@@ -7959,7 +7959,7 @@ parameter_brace_transform (varname, value, ind, xform, rtype, quoted, pflags, fl + return ((char *)NULL); + } + +- if (valid_parameter_transform (xform) == 0) ++ if (xform[0] == 0 || valid_parameter_transform (xform) == 0) + { + this_command_name = oname; + #if 0 /* TAG: bash-5.2 Martin Schulte 10/2020 */ diff --git a/bash.spec b/bash.spec index 1723b1b..479a928 100644 --- a/bash.spec +++ b/bash.spec @@ -6,7 +6,7 @@ Version: %{baseversion}%{patchleveltag} Name: bash Summary: The GNU Bourne Again shell -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv3+ Url: https://www.gnu.org/software/bash Source0: https://ftp.gnu.org/gnu/bash/bash-%{baseversion}.tar.gz @@ -90,6 +90,9 @@ Patch128: bash-5.0-syslog-history.patch # 2115206 - String matching behaves differently on aarch64 Patch129: bash-5.1-mbrtowc.patch +# 2141576 - CVE-2022-3715 bash: a heap-buffer-overflow in valid_parameter_transform +Patch130: bash-5.2-check-xform.patch + BuildRequires: gcc BuildRequires: texinfo bison BuildRequires: ncurses-devel @@ -321,6 +324,10 @@ end %{_libdir}/pkgconfig/%{name}.pc %changelog +* Tue Nov 22 2022 Siteshwar Vashisht - 5.1.8-6 +- Add a null check in parameter_brace_transform() function + Resolves: CVE-2022-3715 + * Mon Aug 08 2022 Siteshwar Vashisht - 5.1.8-5 - Fix an off by one error while calling mbrtowc() Resolves: #2115206