From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mail.kamstrup.com ([93.167.225.188]) by metis.ext.pengutronix.de with esmtp (Exim 4.72) (envelope-from ) id 1XXApz-0004L5-KA for ptxdist@pengutronix.de; Thu, 25 Sep 2014 17:20:08 +0200 From: Bruno Thomsen Date: Thu, 25 Sep 2014 17:19:42 +0200 Message-ID: <1411658382-10721-1-git-send-email-bth@kamstrup.dk> MIME-Version: 1.0 Subject: [ptxdist] [PATCH] bash: shellshock fix Reply-To: ptxdist@pengutronix.de List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ptxdist-bounces@pengutronix.de Errors-To: ptxdist-bounces@pengutronix.de To: ptxdist@pengutronix.de Cc: bth@kamstrup.dk Fixes CVE-2014-6271: remote code execution through bash. Applied missing patches between version 3.2 patch level 48 and 52. Signed-off-by: Bruno Thomsen --- patches/bash-3.2.48/0001-bash-3.2-patch49.patch | 67 ++++++++++++++ patches/bash-3.2.48/0002-bash-3.2-patch50.patch | 57 ++++++++++++ patches/bash-3.2.48/0003-bash-3.2-patch51.patch | 54 +++++++++++ patches/bash-3.2.48/0004-bash-3.2-patch52.patch | 114 ++++++++++++++++++++++++ patches/bash-3.2.48/series | 4 + 5 files changed, 296 insertions(+) create mode 100644 patches/bash-3.2.48/0001-bash-3.2-patch49.patch create mode 100644 patches/bash-3.2.48/0002-bash-3.2-patch50.patch create mode 100644 patches/bash-3.2.48/0003-bash-3.2-patch51.patch create mode 100644 patches/bash-3.2.48/0004-bash-3.2-patch52.patch create mode 100644 patches/bash-3.2.48/series diff --git a/patches/bash-3.2.48/0001-bash-3.2-patch49.patch b/patches/bash-3.2.48/0001-bash-3.2-patch49.patch new file mode 100644 index 0000000..c245ff9 --- /dev/null +++ b/patches/bash-3.2.48/0001-bash-3.2-patch49.patch @@ -0,0 +1,67 @@ +From fb26772ce5a02cc2e677925ce62a459947a4709e Mon Sep 17 00:00:00 2001 +From: Bruno Thomsen +Date: Thu, 25 Sep 2014 15:41:58 +0200 +Subject: [PATCH] bash-3.2: patch 49 + +Bash-Release: 3.2 +Patch-ID: bash32-049 + +Bug-Reported-by: Len Lattanzi +Bug-Reference-ID: <52B1297F-6675-45CC-B63E-24745337D006@apple.com> +Bug-Reference-URL: + +Bug-Description: + +On systems where mbrtowc() returns -2 when passed a length argument with +value 0, when using a multibyte locale, Readline's emacs-mode forward-char +at the end of a line will leave the point beyond the end of the line. + +Signed-off-by: Bruno Thomsen +--- + lib/readline/mbutil.c | 9 ++++++--- + patchlevel.h | 2 +- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/readline/mbutil.c b/lib/readline/mbutil.c +index 17dde53..0f8191c 100644 +--- a/lib/readline/mbutil.c ++++ b/lib/readline/mbutil.c +@@ -77,7 +77,7 @@ _rl_find_next_mbchar_internal (string, seed, count, find_non_zero) + char *string; + int seed, count, find_non_zero; + { +- size_t tmp; ++ size_t tmp, len; + mbstate_t ps; + int point; + wchar_t wc; +@@ -96,9 +96,12 @@ _rl_find_next_mbchar_internal (string, seed, count, find_non_zero) + if (seed < point) + count--; + +- while (count > 0) ++ while (count > 0) + { +- tmp = mbrtowc (&wc, string+point, strlen(string + point), &ps); ++ len = strlen (string + point); ++ if (len == 0) ++ break; ++ tmp = mbrtowc (&wc, string+point, len, &ps); + if (MB_INVALIDCH ((size_t)tmp)) + { + /* invalid bytes. asume a byte represents a character */ +diff --git a/patchlevel.h b/patchlevel.h +index aff99d9..19e5eca 100644 +--- a/patchlevel.h ++++ b/patchlevel.h +@@ -25,6 +25,6 @@ + regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh + looks for to find the patch level (for the sccs version string). */ + +-#define PATCHLEVEL 48 ++#define PATCHLEVEL 49 + + #endif /* _PATCHLEVEL_H_ */ +-- +1.9.1 + diff --git a/patches/bash-3.2.48/0002-bash-3.2-patch50.patch b/patches/bash-3.2.48/0002-bash-3.2-patch50.patch new file mode 100644 index 0000000..ceea444 --- /dev/null +++ b/patches/bash-3.2.48/0002-bash-3.2-patch50.patch @@ -0,0 +1,57 @@ +From 6ec1590129b1855ce3366d53636f6a6272bbdb86 Mon Sep 17 00:00:00 2001 +From: Bruno Thomsen +Date: Thu, 25 Sep 2014 15:49:40 +0200 +Subject: [PATCH] bash-3.2: patch 50 + +Bash-Release: 3.2 +Patch-ID: bash32-050 + +Bug-Reported-by: Jan Hnatek +Bug-Reference-ID: <4A44991F.8010005@sun.com> +Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2009-06/msg00084.html + +Bug-Description: + +On systems where mbrtowc() returns -2 when passed a length argument with +value 0, when using a multibyte locale, Readline's emacs-mode forward-char +at the end of a line will leave the point beyond the end of the line. + +Signed-off-by: Bruno Thomsen +--- + lib/readline/mbutil.c | 4 +--- + patchlevel.h | 2 +- + 2 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/lib/readline/mbutil.c b/lib/readline/mbutil.c +index 0f8191c..6d3da95 100644 +--- a/lib/readline/mbutil.c ++++ b/lib/readline/mbutil.c +@@ -131,12 +131,10 @@ _rl_find_next_mbchar_internal (string, seed, count, find_non_zero) + if (find_non_zero) + { + tmp = mbrtowc (&wc, string + point, strlen (string + point), &ps); +- while (tmp > 0 && wcwidth (wc) == 0) ++ while (MB_NULLWCH (tmp) == 0 && MB_INVALIDCH (tmp) == 0 && wcwidth (wc) == 0) + { + point += tmp; + tmp = mbrtowc (&wc, string + point, strlen (string + point), &ps); +- if (MB_NULLWCH (tmp) || MB_INVALIDCH (tmp)) +- break; + } + } + +diff --git a/patchlevel.h b/patchlevel.h +index 19e5eca..37480dc 100644 +--- a/patchlevel.h ++++ b/patchlevel.h +@@ -25,6 +25,6 @@ + regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh + looks for to find the patch level (for the sccs version string). */ + +-#define PATCHLEVEL 49 ++#define PATCHLEVEL 50 + + #endif /* _PATCHLEVEL_H_ */ +-- +1.9.1 + diff --git a/patches/bash-3.2.48/0003-bash-3.2-patch51.patch b/patches/bash-3.2.48/0003-bash-3.2-patch51.patch new file mode 100644 index 0000000..3d276a5 --- /dev/null +++ b/patches/bash-3.2.48/0003-bash-3.2-patch51.patch @@ -0,0 +1,54 @@ +From 270942e5a3b66f368c8b1f2b629f8fe9bb0029b4 Mon Sep 17 00:00:00 2001 +From: Bruno Thomsen +Date: Thu, 25 Sep 2014 15:52:52 +0200 +Subject: [PATCH] bash-3.2: patch 51 + +Bash-Release: 3.2 +Patch-ID: bash32-051 + +Bug-Reported-by: werner@suse.de +Bug-Reference-ID: <201002251238.o1PCcYcg016893@boole.suse.de> +Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2010-02/msg00132.html + +Bug-Description: + +When the `read' builtin times out after the timeout specified with -t is +exceeded, it does not reset the flags that tell signal handlers to process +signals immediately instead of deferring their handling. This can result +in unsafe functions being called from signal handlers, which can cause bash +to hang or dump core. + +Signed-off-by: Bruno Thomsen +--- + builtins/read.def | 2 ++ + patchlevel.h | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/builtins/read.def b/builtins/read.def +index afa549e..1c18c8d 100644 +--- a/builtins/read.def ++++ b/builtins/read.def +@@ -326,6 +326,8 @@ read_builtin (list) + code = setjmp (alrmbuf); + if (code) + { ++ interrupt_immediately--; ++ terminate_immediately = 0; + run_unwind_frame ("read_builtin"); + return (EXECUTION_FAILURE); + } +diff --git a/patchlevel.h b/patchlevel.h +index 37480dc..f72e2d8 100644 +--- a/patchlevel.h ++++ b/patchlevel.h +@@ -25,6 +25,6 @@ + regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh + looks for to find the patch level (for the sccs version string). */ + +-#define PATCHLEVEL 50 ++#define PATCHLEVEL 51 + + #endif /* _PATCHLEVEL_H_ */ +-- +1.9.1 + diff --git a/patches/bash-3.2.48/0004-bash-3.2-patch52.patch b/patches/bash-3.2.48/0004-bash-3.2-patch52.patch new file mode 100644 index 0000000..da995f5 --- /dev/null +++ b/patches/bash-3.2.48/0004-bash-3.2-patch52.patch @@ -0,0 +1,114 @@ +From 7b239694e512fc1c34bd501dd375de44d2bbea2e Mon Sep 17 00:00:00 2001 +From: Bruno Thomsen +Date: Thu, 25 Sep 2014 15:59:35 +0200 +Subject: [PATCH] bash-3.2: patch 52 + +Bash-Release: 3.2 +Patch-ID: bash32-052 + +Bug-Reported-by: Stephane Chazelas +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +Under certain circumstances, bash will execute user code while processing the +environment for exported function definitions. + +Signed-off-by: Bruno Thomsen +--- + builtins/common.h | 2 ++ + builtins/evalstring.c | 11 +++++++++++ + patchlevel.h | 2 +- + variables.c | 14 ++++---------- + 4 files changed, 18 insertions(+), 11 deletions(-) + +diff --git a/builtins/common.h b/builtins/common.h +index 1233d66..74abb25 100644 +--- a/builtins/common.h ++++ b/builtins/common.h +@@ -31,6 +31,8 @@ + #define SEVAL_NOHIST 0x004 + #define SEVAL_NOFREE 0x008 + #define SEVAL_RESETLINE 0x010 ++#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ ++#define SEVAL_ONECMD 0x100 /* only allow a single command */ + + /* Flags for describe_command, shared between type.def and command.def */ + #define CDESC_ALL 0x001 /* type -a */ +diff --git a/builtins/evalstring.c b/builtins/evalstring.c +index 511ce86..46cb56a 100644 +--- a/builtins/evalstring.c ++++ b/builtins/evalstring.c +@@ -234,6 +234,14 @@ parse_and_execute (string, from_file, flags) + { + struct fd_bitmap *bitmap; + ++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) ++ { ++ internal_warning ("%s: ignoring function definition attempt", from_file); ++ should_jump_to_top_level = 0; ++ last_result = last_command_exit_value = EX_BADUSAGE; ++ break; ++ } ++ + bitmap = new_fd_bitmap (FD_BITMAP_SIZE); + begin_unwind_frame ("pe_dispose"); + add_unwind_protect (dispose_fd_bitmap, bitmap); +@@ -291,6 +299,9 @@ parse_and_execute (string, from_file, flags) + dispose_command (command); + dispose_fd_bitmap (bitmap); + discard_unwind_frame ("pe_dispose"); ++ ++ if (flags & SEVAL_ONECMD) ++ break; + } + } + else +diff --git a/patchlevel.h b/patchlevel.h +index f72e2d8..a2d65b2 100644 +--- a/patchlevel.h ++++ b/patchlevel.h +@@ -25,6 +25,6 @@ + regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh + looks for to find the patch level (for the sccs version string). */ + +-#define PATCHLEVEL 51 ++#define PATCHLEVEL 52 + + #endif /* _PATCHLEVEL_H_ */ +diff --git a/variables.c b/variables.c +index 725cfa6..eb80326 100644 +--- a/variables.c ++++ b/variables.c +@@ -318,12 +318,10 @@ initialize_shell_variables (env, privmode) + temp_string[char_index] = ' '; + strcpy (temp_string + char_index + 1, string); + +- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); +- +- /* Ancient backwards compatibility. Old versions of bash exported +- functions like name()=() {...} */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '(') +- name[char_index - 2] = '\0'; ++ /* Don't import function names that are invalid identifiers from the ++ environment. */ ++ if (legal_identifier (name)) ++ parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + + if (temp_var = find_function (name)) + { +@@ -332,10 +330,6 @@ initialize_shell_variables (env, privmode) + } + else + report_error (_("error importing function definition for `%s'"), name); +- +- /* ( */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') +- name[char_index - 2] = '('; /* ) */ + } + #if defined (ARRAY_VARS) + # if 0 +-- +1.9.1 + diff --git a/patches/bash-3.2.48/series b/patches/bash-3.2.48/series new file mode 100644 index 0000000..0ede824 --- /dev/null +++ b/patches/bash-3.2.48/series @@ -0,0 +1,4 @@ +0001-bash-3.2-patch49.patch +0002-bash-3.2-patch50.patch +0003-bash-3.2-patch51.patch +0004-bash-3.2-patch52.patch -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de