CVE-2016-0634 - Fix for arbitrary code execution via malicious hostname
Resolves: #1377614
This commit is contained in:
parent
4af6ac8cf8
commit
d430777020
105
bash-4.3-cve-2016-0634.patch
Normal file
105
bash-4.3-cve-2016-0634.patch
Normal file
@ -0,0 +1,105 @@
|
||||
From f9dc7ff03a5b63d20ce473c1172e29b736dbea28 Mon Sep 17 00:00:00 2001
|
||||
From: "David Kaspar [Dee'Kej]" <dkaspar@redhat.com>
|
||||
Date: Wed, 21 Sep 2016 16:51:08 +0200
|
||||
Subject: [PATCH] CVE-2016-0634: upstream patch imported
|
||||
|
||||
---
|
||||
parse.y | 20 ++++++++++++++++----
|
||||
y.tab.c | 20 ++++++++++++++++----
|
||||
2 files changed, 32 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/parse.y b/parse.y
|
||||
index 0a7fcaa..5676ad7 100644
|
||||
--- a/parse.y
|
||||
+++ b/parse.y
|
||||
@@ -5252,7 +5252,7 @@ decode_prompt_string (string)
|
||||
#if defined (PROMPT_STRING_DECODE)
|
||||
int result_size, result_index;
|
||||
int c, n, i;
|
||||
- char *temp, octal_string[4];
|
||||
+ char *temp, *t_host, octal_string[4];
|
||||
struct tm *tm;
|
||||
time_t the_time;
|
||||
char timebuf[128];
|
||||
@@ -5400,7 +5400,11 @@ decode_prompt_string (string)
|
||||
|
||||
case 's':
|
||||
temp = base_pathname (shell_name);
|
||||
- temp = savestring (temp);
|
||||
+ /* Try to quote anything the user can set in the file system */
|
||||
+ if (promptvars || posixly_correct)
|
||||
+ temp = sh_backslash_quote_for_double_quotes (temp);
|
||||
+ else
|
||||
+ temp = savestring (temp);
|
||||
goto add_string;
|
||||
|
||||
case 'v':
|
||||
@@ -5490,9 +5494,17 @@ decode_prompt_string (string)
|
||||
|
||||
case 'h':
|
||||
case 'H':
|
||||
- temp = savestring (current_host_name);
|
||||
- if (c == 'h' && (t = (char *)strchr (temp, '.')))
|
||||
+ t_host = savestring (current_host_name);
|
||||
+ if (c == 'h' && (t = (char *)strchr (t_host, '.')))
|
||||
*t = '\0';
|
||||
+ if (promptvars || posixly_correct)
|
||||
+ /* Make sure that expand_prompt_string is called with a
|
||||
+ second argument of Q_DOUBLE_QUOTES if we use this
|
||||
+ function here. */
|
||||
+ temp = sh_backslash_quote_for_double_quotes (t_host);
|
||||
+ else
|
||||
+ temp = savestring (t_host);
|
||||
+ free (t_host);
|
||||
goto add_string;
|
||||
|
||||
case '#':
|
||||
diff --git a/y.tab.c b/y.tab.c
|
||||
index 793daf6..726d0de 100644
|
||||
--- a/y.tab.c
|
||||
+++ b/y.tab.c
|
||||
@@ -7540,7 +7540,7 @@ decode_prompt_string (string)
|
||||
#if defined (PROMPT_STRING_DECODE)
|
||||
int result_size, result_index;
|
||||
int c, n, i;
|
||||
- char *temp, octal_string[4];
|
||||
+ char *temp, *t_host, octal_string[4];
|
||||
struct tm *tm;
|
||||
time_t the_time;
|
||||
char timebuf[128];
|
||||
@@ -7688,7 +7688,11 @@ decode_prompt_string (string)
|
||||
|
||||
case 's':
|
||||
temp = base_pathname (shell_name);
|
||||
- temp = savestring (temp);
|
||||
+ /* Try to quote anything the user can set in the file system */
|
||||
+ if (promptvars || posixly_correct)
|
||||
+ temp = sh_backslash_quote_for_double_quotes (temp);
|
||||
+ else
|
||||
+ temp = savestring (temp);
|
||||
goto add_string;
|
||||
|
||||
case 'v':
|
||||
@@ -7778,9 +7782,17 @@ decode_prompt_string (string)
|
||||
|
||||
case 'h':
|
||||
case 'H':
|
||||
- temp = savestring (current_host_name);
|
||||
- if (c == 'h' && (t = (char *)strchr (temp, '.')))
|
||||
+ t_host = savestring (current_host_name);
|
||||
+ if (c == 'h' && (t = (char *)strchr (t_host, '.')))
|
||||
*t = '\0';
|
||||
+ if (promptvars || posixly_correct)
|
||||
+ /* Make sure that expand_prompt_string is called with a
|
||||
+ second argument of Q_DOUBLE_QUOTES if we use this
|
||||
+ function here. */
|
||||
+ temp = sh_backslash_quote_for_double_quotes (t_host);
|
||||
+ else
|
||||
+ temp = savestring (t_host);
|
||||
+ free (t_host);
|
||||
goto add_string;
|
||||
|
||||
case '#':
|
||||
--
|
||||
2.7.4
|
||||
|
11
bash.spec
11
bash.spec
@ -8,7 +8,7 @@
|
||||
Version: %{baseversion}%{patchleveltag}
|
||||
Name: bash
|
||||
Summary: The GNU Bourne Again shell
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Group: System Environment/Shells
|
||||
License: GPLv3+
|
||||
Url: http://www.gnu.org/software/bash
|
||||
@ -143,6 +143,10 @@ Patch139: bash-4.3-old-memleak.patch
|
||||
#1336800 - Fixes a race condition while expanding tilda
|
||||
Patch140: bash-tilda-race-condition.patch
|
||||
|
||||
#1377614 - security fix for CVE-2016-0634 (arbitrary code execution via malicious hostname)
|
||||
# NOTE: This fix is already included in bash-4.4.
|
||||
Patch141: bash-4.3-cve-2016-0634.patch
|
||||
|
||||
BuildRequires: texinfo bison
|
||||
BuildRequires: ncurses-devel
|
||||
BuildRequires: autoconf, gettext
|
||||
@ -246,6 +250,7 @@ This package contains documentation files for %{name}.
|
||||
%patch138 -p1 -b .lc_all
|
||||
%patch139 -p1 -b .oldleak
|
||||
%patch140 -p1 -b .tilda_expansion
|
||||
%patch141 -p1 -b .cve-2016-0634
|
||||
|
||||
echo %{version} > _distribution
|
||||
echo %{release} > _patchlevel
|
||||
@ -447,6 +452,10 @@ end
|
||||
%doc doc/*.ps doc/*.0 doc/*.html doc/article.txt
|
||||
|
||||
%changelog
|
||||
* Wed Sep 21 2016 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 4.3.43-3
|
||||
- CVE-2016-0634 - Fix for arbitrary code execution via malicious hostname
|
||||
Resolves: #1377614
|
||||
|
||||
* Tue Sep 6 2016 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 4.3.43-2
|
||||
- Inverted the condition for UsrMove safeguard check, so we comply with:
|
||||
https://fedoraproject.org/wiki/Packaging:Conflicts
|
||||
|
Loading…
Reference in New Issue
Block a user