From d430777020da4c1e68807f59b0ffd38324adbdb7 Mon Sep 17 00:00:00 2001 From: "David Kaspar [Dee'Kej]" Date: Wed, 21 Sep 2016 16:57:59 +0200 Subject: [PATCH] CVE-2016-0634 - Fix for arbitrary code execution via malicious hostname Resolves: #1377614 --- bash-4.3-cve-2016-0634.patch | 105 +++++++++++++++++++++++++++++++++++ bash.spec | 11 +++- 2 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 bash-4.3-cve-2016-0634.patch diff --git a/bash-4.3-cve-2016-0634.patch b/bash-4.3-cve-2016-0634.patch new file mode 100644 index 0000000..e71931a --- /dev/null +++ b/bash-4.3-cve-2016-0634.patch @@ -0,0 +1,105 @@ +From f9dc7ff03a5b63d20ce473c1172e29b736dbea28 Mon Sep 17 00:00:00 2001 +From: "David Kaspar [Dee'Kej]" +Date: Wed, 21 Sep 2016 16:51:08 +0200 +Subject: [PATCH] CVE-2016-0634: upstream patch imported + +--- + parse.y | 20 ++++++++++++++++---- + y.tab.c | 20 ++++++++++++++++---- + 2 files changed, 32 insertions(+), 8 deletions(-) + +diff --git a/parse.y b/parse.y +index 0a7fcaa..5676ad7 100644 +--- a/parse.y ++++ b/parse.y +@@ -5252,7 +5252,7 @@ decode_prompt_string (string) + #if defined (PROMPT_STRING_DECODE) + int result_size, result_index; + int c, n, i; +- char *temp, octal_string[4]; ++ char *temp, *t_host, octal_string[4]; + struct tm *tm; + time_t the_time; + char timebuf[128]; +@@ -5400,7 +5400,11 @@ decode_prompt_string (string) + + case 's': + temp = base_pathname (shell_name); +- temp = savestring (temp); ++ /* Try to quote anything the user can set in the file system */ ++ if (promptvars || posixly_correct) ++ temp = sh_backslash_quote_for_double_quotes (temp); ++ else ++ temp = savestring (temp); + goto add_string; + + case 'v': +@@ -5490,9 +5494,17 @@ decode_prompt_string (string) + + case 'h': + case 'H': +- temp = savestring (current_host_name); +- if (c == 'h' && (t = (char *)strchr (temp, '.'))) ++ t_host = savestring (current_host_name); ++ if (c == 'h' && (t = (char *)strchr (t_host, '.'))) + *t = '\0'; ++ if (promptvars || posixly_correct) ++ /* Make sure that expand_prompt_string is called with a ++ second argument of Q_DOUBLE_QUOTES if we use this ++ function here. */ ++ temp = sh_backslash_quote_for_double_quotes (t_host); ++ else ++ temp = savestring (t_host); ++ free (t_host); + goto add_string; + + case '#': +diff --git a/y.tab.c b/y.tab.c +index 793daf6..726d0de 100644 +--- a/y.tab.c ++++ b/y.tab.c +@@ -7540,7 +7540,7 @@ decode_prompt_string (string) + #if defined (PROMPT_STRING_DECODE) + int result_size, result_index; + int c, n, i; +- char *temp, octal_string[4]; ++ char *temp, *t_host, octal_string[4]; + struct tm *tm; + time_t the_time; + char timebuf[128]; +@@ -7688,7 +7688,11 @@ decode_prompt_string (string) + + case 's': + temp = base_pathname (shell_name); +- temp = savestring (temp); ++ /* Try to quote anything the user can set in the file system */ ++ if (promptvars || posixly_correct) ++ temp = sh_backslash_quote_for_double_quotes (temp); ++ else ++ temp = savestring (temp); + goto add_string; + + case 'v': +@@ -7778,9 +7782,17 @@ decode_prompt_string (string) + + case 'h': + case 'H': +- temp = savestring (current_host_name); +- if (c == 'h' && (t = (char *)strchr (temp, '.'))) ++ t_host = savestring (current_host_name); ++ if (c == 'h' && (t = (char *)strchr (t_host, '.'))) + *t = '\0'; ++ if (promptvars || posixly_correct) ++ /* Make sure that expand_prompt_string is called with a ++ second argument of Q_DOUBLE_QUOTES if we use this ++ function here. */ ++ temp = sh_backslash_quote_for_double_quotes (t_host); ++ else ++ temp = savestring (t_host); ++ free (t_host); + goto add_string; + + case '#': +-- +2.7.4 + diff --git a/bash.spec b/bash.spec index 4bfa248..af06209 100644 --- a/bash.spec +++ b/bash.spec @@ -8,7 +8,7 @@ Version: %{baseversion}%{patchleveltag} Name: bash Summary: The GNU Bourne Again shell -Release: 2%{?dist} +Release: 3%{?dist} Group: System Environment/Shells License: GPLv3+ Url: http://www.gnu.org/software/bash @@ -143,6 +143,10 @@ Patch139: bash-4.3-old-memleak.patch #1336800 - Fixes a race condition while expanding tilda Patch140: bash-tilda-race-condition.patch +#1377614 - security fix for CVE-2016-0634 (arbitrary code execution via malicious hostname) +# NOTE: This fix is already included in bash-4.4. +Patch141: bash-4.3-cve-2016-0634.patch + BuildRequires: texinfo bison BuildRequires: ncurses-devel BuildRequires: autoconf, gettext @@ -246,6 +250,7 @@ This package contains documentation files for %{name}. %patch138 -p1 -b .lc_all %patch139 -p1 -b .oldleak %patch140 -p1 -b .tilda_expansion +%patch141 -p1 -b .cve-2016-0634 echo %{version} > _distribution echo %{release} > _patchlevel @@ -447,6 +452,10 @@ end %doc doc/*.ps doc/*.0 doc/*.html doc/article.txt %changelog +* Wed Sep 21 2016 David Kaspar [Dee'Kej] - 4.3.43-3 +- CVE-2016-0634 - Fix for arbitrary code execution via malicious hostname + Resolves: #1377614 + * Tue Sep 6 2016 David Kaspar [Dee'Kej] - 4.3.43-2 - Inverted the condition for UsrMove safeguard check, so we comply with: https://fedoraproject.org/wiki/Packaging:Conflicts