Patchlevel 30

This commit is contained in:
Ondrej Oprala 2014-10-06 07:06:32 +02:00
parent a3009e6751
commit 915e5b4463
3 changed files with 200 additions and 1 deletions

View File

@ -1,5 +1,5 @@
#% define beta_tag rc2
%define patchleveltag .28
%define patchleveltag .30
%define baseversion 4.3
%bcond_without tests
%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
@ -58,6 +58,9 @@ Patch027: bash-4.2-cve-2014-7169-1.patch
#patchlevel 28
Patch028: bash-4.2-cve-2014-7169-2.patch
Patch029: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-029
Patch030: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-030
# Other patches
Patch101: bash-2.02-security.patch
@ -169,6 +172,8 @@ This package contains documentation files for %{name}.
%patch026 -p0 -b .026
%patch027 -p0 -b .7169-1
%patch028 -p0 -b .7169-2
%patch029 -p0 -b .029
%patch030 -p0 -b .030
# Other patches
%patch101 -p1 -b .security
@ -394,6 +399,9 @@ end
%doc doc/*.ps doc/*.0 doc/*.html doc/article.txt
%changelog
* Thu Oct 06 2014 Ondrej Oprala <ooprala@redhat.com> - 4.3.30-1
- Patchlevel 30
* Mon Oct 06 2014 Ondrej Oprala <ooprala@redhat.com> - 4.3.28-1
- RedHat's patchlevel 28

59
bash43-029 Normal file
View File

@ -0,0 +1,59 @@
BASH PATCH REPORT
=================
Bash-Release: 4.3
Patch-ID: bash43-029
Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
Bug-Reference-ID:
Bug-Reference-URL:
Bug-Description:
When bash is parsing a function definition that contains a here-document
delimited by end-of-file (or end-of-string), it leaves the closing delimiter
uninitialized. This can result in an invalid memory access when the parsed
function is later copied.
Patch (apply with `patch -p0'):
*** ../bash-4.3.28/make_cmd.c 2011-12-16 08:08:01.000000000 -0500
--- make_cmd.c 2014-10-02 11:24:23.000000000 -0400
***************
*** 693,696 ****
--- 693,697 ----
temp->redirector = source;
temp->redirectee = dest_and_filename;
+ temp->here_doc_eof = 0;
temp->instruction = instruction;
temp->flags = 0;
*** ../bash-4.3.28/copy_cmd.c 2009-09-11 16:28:02.000000000 -0400
--- copy_cmd.c 2014-10-02 11:24:23.000000000 -0400
***************
*** 127,131 ****
case r_reading_until:
case r_deblank_reading_until:
! new_redirect->here_doc_eof = savestring (redirect->here_doc_eof);
/*FALLTHROUGH*/
case r_reading_string:
--- 127,131 ----
case r_reading_until:
case r_deblank_reading_until:
! new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0;
/*FALLTHROUGH*/
case r_reading_string:
*** ../bash-4.3/patchlevel.h 2012-12-29 10:47:57.000000000 -0500
--- patchlevel.h 2014-03-20 20:01:28.000000000 -0400
***************
*** 26,30 ****
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 26
#endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 29
#endif /* _PATCHLEVEL_H_ */

132
bash43-030 Normal file
View File

@ -0,0 +1,132 @@
BASH PATCH REPORT
=================
Bash-Release: 4.3
Patch-ID: bash43-030
Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
Bug-Reference-ID:
Bug-Reference-URL:
Bug-Description:
A combination of nested command substitutions and function importing from
the environment can cause bash to execute code appearing in the environment
variable value following the function definition.
Patch (apply with `patch -p0'):
*** ../bash-4.3.29/builtins/evalstring.c 2014-10-01 12:57:47.000000000 -0400
--- builtins/evalstring.c 2014-10-03 11:57:04.000000000 -0400
***************
*** 309,318 ****
struct fd_bitmap *bitmap;
! if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
{
! internal_warning ("%s: ignoring function definition attempt", from_file);
! should_jump_to_top_level = 0;
! last_result = last_command_exit_value = EX_BADUSAGE;
! break;
}
--- 313,335 ----
struct fd_bitmap *bitmap;
! if (flags & SEVAL_FUNCDEF)
{
! char *x;
!
! /* If the command parses to something other than a straight
! function definition, or if we have not consumed the entire
! string, or if the parser has transformed the function
! name (as parsing will if it begins or ends with shell
! whitespace, for example), reject the attempt */
! if (command->type != cm_function_def ||
! ((x = parser_remaining_input ()) && *x) ||
! (STREQ (from_file, command->value.Function_def->name->word) == 0))
! {
! internal_warning (_("%s: ignoring function definition attempt"), from_file);
! should_jump_to_top_level = 0;
! last_result = last_command_exit_value = EX_BADUSAGE;
! reset_parser ();
! break;
! }
}
***************
*** 379,383 ****
if (flags & SEVAL_ONECMD)
! break;
}
}
--- 396,403 ----
if (flags & SEVAL_ONECMD)
! {
! reset_parser ();
! break;
! }
}
}
*** ../bash-4.3.29/parse.y 2014-10-01 12:58:43.000000000 -0400
--- parse.y 2014-10-03 14:48:59.000000000 -0400
***************
*** 2539,2542 ****
--- 2539,2552 ----
}
+ char *
+ parser_remaining_input ()
+ {
+ if (shell_input_line == 0)
+ return 0;
+ if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)
+ return '\0'; /* XXX */
+ return (shell_input_line + shell_input_line_index);
+ }
+
#ifdef INCLUDE_UNUSED
/* Back the input pointer up by one, effectively `ungetting' a character. */
***************
*** 4028,4033 ****
/* reset_parser clears shell_input_line and associated variables */
restore_input_line_state (&ls);
! if (interactive)
! token_to_read = 0;
/* Need to find how many characters parse_and_execute consumed, update
--- 4053,4058 ----
/* reset_parser clears shell_input_line and associated variables */
restore_input_line_state (&ls);
!
! token_to_read = 0;
/* Need to find how many characters parse_and_execute consumed, update
*** ../bash-4.3.29/shell.h 2014-10-01 12:57:39.000000000 -0400
--- shell.h 2014-10-03 14:49:12.000000000 -0400
***************
*** 181,184 ****
--- 181,186 ----
/* Let's try declaring these here. */
+ extern char *parser_remaining_input __P((void));
+
extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));
extern void restore_parser_state __P((sh_parser_state_t *));
*** ../bash-4.3/patchlevel.h 2012-12-29 10:47:57.000000000 -0500
--- patchlevel.h 2014-03-20 20:01:28.000000000 -0400
***************
*** 26,30 ****
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 29
#endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 30
#endif /* _PATCHLEVEL_H_ */