* [ptxdist] [PATCH] bash: shellshock fix
@ 2014-09-25 15:19 Bruno Thomsen
0 siblings, 0 replies; only message in thread
From: Bruno Thomsen @ 2014-09-25 15:19 UTC (permalink / raw)
To: ptxdist; +Cc: bth
Fixes CVE-2014-6271: remote code execution through bash.
Applied missing patches between version 3.2 patch level 48 and 52.
Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
---
patches/bash-3.2.48/0001-bash-3.2-patch49.patch | 67 ++++++++++++++
patches/bash-3.2.48/0002-bash-3.2-patch50.patch | 57 ++++++++++++
patches/bash-3.2.48/0003-bash-3.2-patch51.patch | 54 +++++++++++
patches/bash-3.2.48/0004-bash-3.2-patch52.patch | 114 ++++++++++++++++++++++++
patches/bash-3.2.48/series | 4 +
5 files changed, 296 insertions(+)
create mode 100644 patches/bash-3.2.48/0001-bash-3.2-patch49.patch
create mode 100644 patches/bash-3.2.48/0002-bash-3.2-patch50.patch
create mode 100644 patches/bash-3.2.48/0003-bash-3.2-patch51.patch
create mode 100644 patches/bash-3.2.48/0004-bash-3.2-patch52.patch
create mode 100644 patches/bash-3.2.48/series
diff --git a/patches/bash-3.2.48/0001-bash-3.2-patch49.patch b/patches/bash-3.2.48/0001-bash-3.2-patch49.patch
new file mode 100644
index 0000000..c245ff9
--- /dev/null
+++ b/patches/bash-3.2.48/0001-bash-3.2-patch49.patch
@@ -0,0 +1,67 @@
+From fb26772ce5a02cc2e677925ce62a459947a4709e Mon Sep 17 00:00:00 2001
+From: Bruno Thomsen <bth@kamstrup.dk>
+Date: Thu, 25 Sep 2014 15:41:58 +0200
+Subject: [PATCH] bash-3.2: patch 49
+
+Bash-Release: 3.2
+Patch-ID: bash32-049
+
+Bug-Reported-by: Len Lattanzi <llattanzi@apple.com>
+Bug-Reference-ID: <52B1297F-6675-45CC-B63E-24745337D006@apple.com>
+Bug-Reference-URL:
+
+Bug-Description:
+
+On systems where mbrtowc() returns -2 when passed a length argument with
+value 0, when using a multibyte locale, Readline's emacs-mode forward-char
+at the end of a line will leave the point beyond the end of the line.
+
+Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
+---
+ lib/readline/mbutil.c | 9 ++++++---
+ patchlevel.h | 2 +-
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/readline/mbutil.c b/lib/readline/mbutil.c
+index 17dde53..0f8191c 100644
+--- a/lib/readline/mbutil.c
++++ b/lib/readline/mbutil.c
+@@ -77,7 +77,7 @@ _rl_find_next_mbchar_internal (string, seed, count, find_non_zero)
+ char *string;
+ int seed, count, find_non_zero;
+ {
+- size_t tmp;
++ size_t tmp, len;
+ mbstate_t ps;
+ int point;
+ wchar_t wc;
+@@ -96,9 +96,12 @@ _rl_find_next_mbchar_internal (string, seed, count, find_non_zero)
+ if (seed < point)
+ count--;
+
+- while (count > 0)
++ while (count > 0)
+ {
+- tmp = mbrtowc (&wc, string+point, strlen(string + point), &ps);
++ len = strlen (string + point);
++ if (len == 0)
++ break;
++ tmp = mbrtowc (&wc, string+point, len, &ps);
+ if (MB_INVALIDCH ((size_t)tmp))
+ {
+ /* invalid bytes. asume a byte represents a character */
+diff --git a/patchlevel.h b/patchlevel.h
+index aff99d9..19e5eca 100644
+--- a/patchlevel.h
++++ b/patchlevel.h
+@@ -25,6 +25,6 @@
+ regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh
+ looks for to find the patch level (for the sccs version string). */
+
+-#define PATCHLEVEL 48
++#define PATCHLEVEL 49
+
+ #endif /* _PATCHLEVEL_H_ */
+--
+1.9.1
+
diff --git a/patches/bash-3.2.48/0002-bash-3.2-patch50.patch b/patches/bash-3.2.48/0002-bash-3.2-patch50.patch
new file mode 100644
index 0000000..ceea444
--- /dev/null
+++ b/patches/bash-3.2.48/0002-bash-3.2-patch50.patch
@@ -0,0 +1,57 @@
+From 6ec1590129b1855ce3366d53636f6a6272bbdb86 Mon Sep 17 00:00:00 2001
+From: Bruno Thomsen <bth@kamstrup.dk>
+Date: Thu, 25 Sep 2014 15:49:40 +0200
+Subject: [PATCH] bash-3.2: patch 50
+
+Bash-Release: 3.2
+Patch-ID: bash32-050
+
+Bug-Reported-by: Jan Hnatek <Jan.Hnatek@Sun.COM>
+Bug-Reference-ID: <4A44991F.8010005@sun.com>
+Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2009-06/msg00084.html
+
+Bug-Description:
+
+On systems where mbrtowc() returns -2 when passed a length argument with
+value 0, when using a multibyte locale, Readline's emacs-mode forward-char
+at the end of a line will leave the point beyond the end of the line.
+
+Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
+---
+ lib/readline/mbutil.c | 4 +---
+ patchlevel.h | 2 +-
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/readline/mbutil.c b/lib/readline/mbutil.c
+index 0f8191c..6d3da95 100644
+--- a/lib/readline/mbutil.c
++++ b/lib/readline/mbutil.c
+@@ -131,12 +131,10 @@ _rl_find_next_mbchar_internal (string, seed, count, find_non_zero)
+ if (find_non_zero)
+ {
+ tmp = mbrtowc (&wc, string + point, strlen (string + point), &ps);
+- while (tmp > 0 && wcwidth (wc) == 0)
++ while (MB_NULLWCH (tmp) == 0 && MB_INVALIDCH (tmp) == 0 && wcwidth (wc) == 0)
+ {
+ point += tmp;
+ tmp = mbrtowc (&wc, string + point, strlen (string + point), &ps);
+- if (MB_NULLWCH (tmp) || MB_INVALIDCH (tmp))
+- break;
+ }
+ }
+
+diff --git a/patchlevel.h b/patchlevel.h
+index 19e5eca..37480dc 100644
+--- a/patchlevel.h
++++ b/patchlevel.h
+@@ -25,6 +25,6 @@
+ regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh
+ looks for to find the patch level (for the sccs version string). */
+
+-#define PATCHLEVEL 49
++#define PATCHLEVEL 50
+
+ #endif /* _PATCHLEVEL_H_ */
+--
+1.9.1
+
diff --git a/patches/bash-3.2.48/0003-bash-3.2-patch51.patch b/patches/bash-3.2.48/0003-bash-3.2-patch51.patch
new file mode 100644
index 0000000..3d276a5
--- /dev/null
+++ b/patches/bash-3.2.48/0003-bash-3.2-patch51.patch
@@ -0,0 +1,54 @@
+From 270942e5a3b66f368c8b1f2b629f8fe9bb0029b4 Mon Sep 17 00:00:00 2001
+From: Bruno Thomsen <bth@kamstrup.dk>
+Date: Thu, 25 Sep 2014 15:52:52 +0200
+Subject: [PATCH] bash-3.2: patch 51
+
+Bash-Release: 3.2
+Patch-ID: bash32-051
+
+Bug-Reported-by: werner@suse.de
+Bug-Reference-ID: <201002251238.o1PCcYcg016893@boole.suse.de>
+Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2010-02/msg00132.html
+
+Bug-Description:
+
+When the `read' builtin times out after the timeout specified with -t is
+exceeded, it does not reset the flags that tell signal handlers to process
+signals immediately instead of deferring their handling. This can result
+in unsafe functions being called from signal handlers, which can cause bash
+to hang or dump core.
+
+Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
+---
+ builtins/read.def | 2 ++
+ patchlevel.h | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/builtins/read.def b/builtins/read.def
+index afa549e..1c18c8d 100644
+--- a/builtins/read.def
++++ b/builtins/read.def
+@@ -326,6 +326,8 @@ read_builtin (list)
+ code = setjmp (alrmbuf);
+ if (code)
+ {
++ interrupt_immediately--;
++ terminate_immediately = 0;
+ run_unwind_frame ("read_builtin");
+ return (EXECUTION_FAILURE);
+ }
+diff --git a/patchlevel.h b/patchlevel.h
+index 37480dc..f72e2d8 100644
+--- a/patchlevel.h
++++ b/patchlevel.h
+@@ -25,6 +25,6 @@
+ regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh
+ looks for to find the patch level (for the sccs version string). */
+
+-#define PATCHLEVEL 50
++#define PATCHLEVEL 51
+
+ #endif /* _PATCHLEVEL_H_ */
+--
+1.9.1
+
diff --git a/patches/bash-3.2.48/0004-bash-3.2-patch52.patch b/patches/bash-3.2.48/0004-bash-3.2-patch52.patch
new file mode 100644
index 0000000..da995f5
--- /dev/null
+++ b/patches/bash-3.2.48/0004-bash-3.2-patch52.patch
@@ -0,0 +1,114 @@
+From 7b239694e512fc1c34bd501dd375de44d2bbea2e Mon Sep 17 00:00:00 2001
+From: Bruno Thomsen <bth@kamstrup.dk>
+Date: Thu, 25 Sep 2014 15:59:35 +0200
+Subject: [PATCH] bash-3.2: patch 52
+
+Bash-Release: 3.2
+Patch-ID: bash32-052
+
+Bug-Reported-by: Stephane Chazelas <stephane.chazelas@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+Under certain circumstances, bash will execute user code while processing the
+environment for exported function definitions.
+
+Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
+---
+ builtins/common.h | 2 ++
+ builtins/evalstring.c | 11 +++++++++++
+ patchlevel.h | 2 +-
+ variables.c | 14 ++++----------
+ 4 files changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/builtins/common.h b/builtins/common.h
+index 1233d66..74abb25 100644
+--- a/builtins/common.h
++++ b/builtins/common.h
+@@ -31,6 +31,8 @@
+ #define SEVAL_NOHIST 0x004
+ #define SEVAL_NOFREE 0x008
+ #define SEVAL_RESETLINE 0x010
++#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
++#define SEVAL_ONECMD 0x100 /* only allow a single command */
+
+ /* Flags for describe_command, shared between type.def and command.def */
+ #define CDESC_ALL 0x001 /* type -a */
+diff --git a/builtins/evalstring.c b/builtins/evalstring.c
+index 511ce86..46cb56a 100644
+--- a/builtins/evalstring.c
++++ b/builtins/evalstring.c
+@@ -234,6 +234,14 @@ parse_and_execute (string, from_file, flags)
+ {
+ struct fd_bitmap *bitmap;
+
++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
++ {
++ internal_warning ("%s: ignoring function definition attempt", from_file);
++ should_jump_to_top_level = 0;
++ last_result = last_command_exit_value = EX_BADUSAGE;
++ break;
++ }
++
+ bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+ begin_unwind_frame ("pe_dispose");
+ add_unwind_protect (dispose_fd_bitmap, bitmap);
+@@ -291,6 +299,9 @@ parse_and_execute (string, from_file, flags)
+ dispose_command (command);
+ dispose_fd_bitmap (bitmap);
+ discard_unwind_frame ("pe_dispose");
++
++ if (flags & SEVAL_ONECMD)
++ break;
+ }
+ }
+ else
+diff --git a/patchlevel.h b/patchlevel.h
+index f72e2d8..a2d65b2 100644
+--- a/patchlevel.h
++++ b/patchlevel.h
+@@ -25,6 +25,6 @@
+ regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh
+ looks for to find the patch level (for the sccs version string). */
+
+-#define PATCHLEVEL 51
++#define PATCHLEVEL 52
+
+ #endif /* _PATCHLEVEL_H_ */
+diff --git a/variables.c b/variables.c
+index 725cfa6..eb80326 100644
+--- a/variables.c
++++ b/variables.c
+@@ -318,12 +318,10 @@ initialize_shell_variables (env, privmode)
+ temp_string[char_index] = ' ';
+ strcpy (temp_string + char_index + 1, string);
+
+- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+-
+- /* Ancient backwards compatibility. Old versions of bash exported
+- functions like name()=() {...} */
+- if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+- name[char_index - 2] = '\0';
++ /* Don't import function names that are invalid identifiers from the
++ environment. */
++ if (legal_identifier (name))
++ parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+
+ if (temp_var = find_function (name))
+ {
+@@ -332,10 +330,6 @@ initialize_shell_variables (env, privmode)
+ }
+ else
+ report_error (_("error importing function definition for `%s'"), name);
+-
+- /* ( */
+- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+- name[char_index - 2] = '('; /* ) */
+ }
+ #if defined (ARRAY_VARS)
+ # if 0
+--
+1.9.1
+
diff --git a/patches/bash-3.2.48/series b/patches/bash-3.2.48/series
new file mode 100644
index 0000000..0ede824
--- /dev/null
+++ b/patches/bash-3.2.48/series
@@ -0,0 +1,4 @@
+0001-bash-3.2-patch49.patch
+0002-bash-3.2-patch50.patch
+0003-bash-3.2-patch51.patch
+0004-bash-3.2-patch52.patch
--
1.9.1
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-09-25 15:20 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-09-25 15:19 [ptxdist] [PATCH] bash: shellshock fix Bruno Thomsen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox