From f96c394fe3af4d3693a57938c72bcc5ef17b98cd Mon Sep 17 00:00:00 2001 From: Ondrej Oprala Date: Mon, 6 Oct 2014 07:06:32 +0200 Subject: [PATCH] Patchlevel 30 --- bash.spec | 10 +++- bash43-029 | 59 ++++++++++++++++++++++++ bash43-030 | 132 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 200 insertions(+), 1 deletion(-) create mode 100644 bash43-029 create mode 100644 bash43-030 diff --git a/bash.spec b/bash.spec index 11bdd8c..6860c25 100644 --- a/bash.spec +++ b/bash.spec @@ -1,5 +1,5 @@ #% define beta_tag rc2 -%define patchleveltag .28 +%define patchleveltag .30 %define baseversion 4.3 %bcond_without tests %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -58,6 +58,9 @@ Patch027: bash-4.2-cve-2014-7169-1.patch #patchlevel 28 Patch028: bash-4.2-cve-2014-7169-2.patch +Patch029: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-029 +Patch030: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-030 + # Other patches Patch101: bash-2.02-security.patch @@ -169,6 +172,8 @@ This package contains documentation files for %{name}. %patch026 -p0 -b .026 %patch027 -p0 -b .7169-1 %patch028 -p0 -b .7169-2 +%patch029 -p0 -b .029 +%patch030 -p0 -b .030 # Other patches %patch101 -p1 -b .security @@ -394,6 +399,9 @@ end %doc doc/*.ps doc/*.0 doc/*.html doc/article.txt %changelog +* Thu Oct 06 2014 Ondrej Oprala - 4.3.30-1 +- Patchlevel 30 + * Mon Oct 06 2014 Ondrej Oprala - 4.3.28-1 - RedHat's patchlevel 28 diff --git a/bash43-029 b/bash43-029 new file mode 100644 index 0000000..f8a9e77 --- /dev/null +++ b/bash43-029 @@ -0,0 +1,59 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.3 +Patch-ID: bash43-029 + +Bug-Reported-by: Michal Zalewski +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +When bash is parsing a function definition that contains a here-document +delimited by end-of-file (or end-of-string), it leaves the closing delimiter +uninitialized. This can result in an invalid memory access when the parsed +function is later copied. + +Patch (apply with `patch -p0'): + +*** ../bash-4.3.28/make_cmd.c 2011-12-16 08:08:01.000000000 -0500 +--- make_cmd.c 2014-10-02 11:24:23.000000000 -0400 +*************** +*** 693,696 **** +--- 693,697 ---- + temp->redirector = source; + temp->redirectee = dest_and_filename; ++ temp->here_doc_eof = 0; + temp->instruction = instruction; + temp->flags = 0; +*** ../bash-4.3.28/copy_cmd.c 2009-09-11 16:28:02.000000000 -0400 +--- copy_cmd.c 2014-10-02 11:24:23.000000000 -0400 +*************** +*** 127,131 **** + case r_reading_until: + case r_deblank_reading_until: +! new_redirect->here_doc_eof = savestring (redirect->here_doc_eof); + /*FALLTHROUGH*/ + case r_reading_string: +--- 127,131 ---- + case r_reading_until: + case r_deblank_reading_until: +! new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0; + /*FALLTHROUGH*/ + case r_reading_string: +*** ../bash-4.3/patchlevel.h 2012-12-29 10:47:57.000000000 -0500 +--- patchlevel.h 2014-03-20 20:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 26 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 29 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/bash43-030 b/bash43-030 new file mode 100644 index 0000000..9e115a3 --- /dev/null +++ b/bash43-030 @@ -0,0 +1,132 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.3 +Patch-ID: bash43-030 + +Bug-Reported-by: Michal Zalewski +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +A combination of nested command substitutions and function importing from +the environment can cause bash to execute code appearing in the environment +variable value following the function definition. + +Patch (apply with `patch -p0'): + +*** ../bash-4.3.29/builtins/evalstring.c 2014-10-01 12:57:47.000000000 -0400 +--- builtins/evalstring.c 2014-10-03 11:57:04.000000000 -0400 +*************** +*** 309,318 **** + struct fd_bitmap *bitmap; + +! if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) + { +! internal_warning ("%s: ignoring function definition attempt", from_file); +! should_jump_to_top_level = 0; +! last_result = last_command_exit_value = EX_BADUSAGE; +! break; + } + +--- 313,335 ---- + struct fd_bitmap *bitmap; + +! if (flags & SEVAL_FUNCDEF) + { +! char *x; +! +! /* If the command parses to something other than a straight +! function definition, or if we have not consumed the entire +! string, or if the parser has transformed the function +! name (as parsing will if it begins or ends with shell +! whitespace, for example), reject the attempt */ +! if (command->type != cm_function_def || +! ((x = parser_remaining_input ()) && *x) || +! (STREQ (from_file, command->value.Function_def->name->word) == 0)) +! { +! internal_warning (_("%s: ignoring function definition attempt"), from_file); +! should_jump_to_top_level = 0; +! last_result = last_command_exit_value = EX_BADUSAGE; +! reset_parser (); +! break; +! } + } + +*************** +*** 379,383 **** + + if (flags & SEVAL_ONECMD) +! break; + } + } +--- 396,403 ---- + + if (flags & SEVAL_ONECMD) +! { +! reset_parser (); +! break; +! } + } + } +*** ../bash-4.3.29/parse.y 2014-10-01 12:58:43.000000000 -0400 +--- parse.y 2014-10-03 14:48:59.000000000 -0400 +*************** +*** 2539,2542 **** +--- 2539,2552 ---- + } + ++ char * ++ parser_remaining_input () ++ { ++ if (shell_input_line == 0) ++ return 0; ++ if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len) ++ return '\0'; /* XXX */ ++ return (shell_input_line + shell_input_line_index); ++ } ++ + #ifdef INCLUDE_UNUSED + /* Back the input pointer up by one, effectively `ungetting' a character. */ +*************** +*** 4028,4033 **** + /* reset_parser clears shell_input_line and associated variables */ + restore_input_line_state (&ls); +! if (interactive) +! token_to_read = 0; + + /* Need to find how many characters parse_and_execute consumed, update +--- 4053,4058 ---- + /* reset_parser clears shell_input_line and associated variables */ + restore_input_line_state (&ls); +! +! token_to_read = 0; + + /* Need to find how many characters parse_and_execute consumed, update +*** ../bash-4.3.29/shell.h 2014-10-01 12:57:39.000000000 -0400 +--- shell.h 2014-10-03 14:49:12.000000000 -0400 +*************** +*** 181,184 **** +--- 181,186 ---- + + /* Let's try declaring these here. */ ++ extern char *parser_remaining_input __P((void)); ++ + extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *)); + extern void restore_parser_state __P((sh_parser_state_t *)); +*** ../bash-4.3/patchlevel.h 2012-12-29 10:47:57.000000000 -0500 +--- patchlevel.h 2014-03-20 20:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 29 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 30 + + #endif /* _PATCHLEVEL_H_ */