From: Bruno Thomsen <bth@kamstrup.dk>
To: ptxdist@pengutronix.de
Cc: bth@kamstrup.dk
Subject: [ptxdist] [PATCH] bash: shellshock part 2 fix
Date: Mon, 29 Sep 2014 11:45:10 +0200 [thread overview]
Message-ID: <1411983910-10500-1-git-send-email-bth@kamstrup.dk> (raw)
Fix CVE-2014-7169.
Applied patches 53 and 54 from version 3.2.
Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
---
patches/bash-3.2.48/0005-bash-3.2-patch53.patch | 51 +++++++
patches/bash-3.2.48/0006-bash-3.2-patch54.patch | 185 ++++++++++++++++++++++++
patches/bash-3.2.48/series | 2 +
3 files changed, 238 insertions(+)
create mode 100644 patches/bash-3.2.48/0005-bash-3.2-patch53.patch
create mode 100644 patches/bash-3.2.48/0006-bash-3.2-patch54.patch
diff --git a/patches/bash-3.2.48/0005-bash-3.2-patch53.patch b/patches/bash-3.2.48/0005-bash-3.2-patch53.patch
new file mode 100644
index 0000000..cad5435
--- /dev/null
+++ b/patches/bash-3.2.48/0005-bash-3.2-patch53.patch
@@ -0,0 +1,51 @@
+From bb47ebbc22117d0dfcff43734b5eeb293b4249e7 Mon Sep 17 00:00:00 2001
+From: Bruno Thomsen <bth@kamstrup.dk>
+Date: Mon, 29 Sep 2014 10:18:41 +0200
+Subject: [PATCH] bash-3.2: patch 53
+
+Bash-Release: 3.2
+Patch-ID: bash32-053
+
+Bug-Reported-by: Tavis Ormandy <taviso@cmpxchg8b.com>
+Bug-Reference-ID:
+Bug-Reference-URL: http://twitter.com/taviso/statuses/514887394294652929
+
+Bug-Description:
+
+Under certain circumstances, bash can incorrectly save a lookahead character and
+return it on a subsequent call, even when reading a new line.
+
+Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
+---
+ parse.y | 2 ++
+ patchlevel.h | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/parse.y b/parse.y
+index 8a2b081..6cb2bce 100644
+--- a/parse.y
++++ b/parse.y
+@@ -2503,6 +2503,8 @@ reset_parser ()
+ FREE (word_desc_to_read);
+ word_desc_to_read = (WORD_DESC *)NULL;
+
++ eol_ungetc_lookahead = 0;
++
+ last_read_token = '\n';
+ token_to_read = '\n';
+ }
+diff --git a/patchlevel.h b/patchlevel.h
+index a2d65b2..e5d74f3 100644
+--- a/patchlevel.h
++++ b/patchlevel.h
+@@ -25,6 +25,6 @@
+ regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh
+ looks for to find the patch level (for the sccs version string). */
+
+-#define PATCHLEVEL 52
++#define PATCHLEVEL 53
+
+ #endif /* _PATCHLEVEL_H_ */
+--
+1.9.1
+
diff --git a/patches/bash-3.2.48/0006-bash-3.2-patch54.patch b/patches/bash-3.2.48/0006-bash-3.2-patch54.patch
new file mode 100644
index 0000000..0b7e14d
--- /dev/null
+++ b/patches/bash-3.2.48/0006-bash-3.2-patch54.patch
@@ -0,0 +1,185 @@
+From 3daa4e268f15c66675cccc4e17c901194ca19199 Mon Sep 17 00:00:00 2001
+From: Bruno Thomsen <bth@kamstrup.dk>
+Date: Mon, 29 Sep 2014 10:36:58 +0200
+Subject: [PATCH] bash-3.2: patch 54
+
+Bash-Release: 3.2
+Patch-ID: bash32-054
+
+Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+This patch changes the encoding bash uses for exported functions to avoid
+clashes with shell variables and to avoid depending only on an environment
+variable's contents to determine whether or not to interpret it as a shell
+function.
+
+Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
+---
+ patchlevel.h | 2 +-
+ variables.c | 80 +++++++++++++++++++++++++++++++++++++++++++++---------------
+ 2 files changed, 61 insertions(+), 21 deletions(-)
+
+diff --git a/patchlevel.h b/patchlevel.h
+index e5d74f3..d449c7c 100644
+--- a/patchlevel.h
++++ b/patchlevel.h
+@@ -25,6 +25,6 @@
+ regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh
+ looks for to find the patch level (for the sccs version string). */
+
+-#define PATCHLEVEL 53
++#define PATCHLEVEL 54
+
+ #endif /* _PATCHLEVEL_H_ */
+diff --git a/variables.c b/variables.c
+index eb80326..76501cf 100644
+--- a/variables.c
++++ b/variables.c
+@@ -74,6 +74,11 @@
+
+ #define ifsname(s) ((s)[0] == 'I' && (s)[1] == 'F' && (s)[2] == 'S' && (s)[3] == '\0')
+
++#define BASHFUNC_PREFIX "BASH_FUNC_"
++#define BASHFUNC_PREFLEN 10 /* == strlen(BASHFUNC_PREFIX */
++#define BASHFUNC_SUFFIX "%%"
++#define BASHFUNC_SUFFLEN 2 /* == strlen(BASHFUNC_SUFFIX) */
++
+ extern char **environ;
+
+ /* Variables used here and defined in other files. */
+@@ -241,7 +246,7 @@ static void push_temp_var __P((PTR_T));
+ static void propagate_temp_var __P((PTR_T));
+ static void dispose_temporary_env __P((sh_free_func_t *));
+
+-static inline char *mk_env_string __P((const char *, const char *));
++static inline char *mk_env_string __P((const char *, const char *, int));
+ static char **make_env_array_from_var_list __P((SHELL_VAR **));
+ static char **make_var_export_array __P((VAR_CONTEXT *));
+ static char **make_func_export_array __P((void));
+@@ -309,27 +314,41 @@ initialize_shell_variables (env, privmode)
+
+ /* If exported function, define it now. Don't import functions from
+ the environment in privileged mode. */
+- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
++ if (privmode == 0 && read_but_dont_execute == 0 &&
++ STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) &&
++ STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) &&
++ STREQN ("() {", string, 4))
+ {
++ size_t namelen;
++ char *tname; /* desired imported function name */
++
++ namelen = char_index - BASHFUNC_PREFLEN - BASHFUNC_SUFFLEN;
++
++ tname = name + BASHFUNC_PREFLEN; /* start of func name */
++ tname[namelen] = '\0'; /* now tname == func name */
++
+ string_length = strlen (string);
+- temp_string = (char *)xmalloc (3 + string_length + char_index);
++ temp_string = (char *)xmalloc (namelen + string_length + 2);
+
+- strcpy (temp_string, name);
+- temp_string[char_index] = ' ';
+- strcpy (temp_string + char_index + 1, string);
++ memcpy (temp_string, tname, namelen);
++ temp_string[namelen] = ' ';
++ memcpy (temp_string + namelen + 1, string, string_length + 1);
+
+ /* Don't import function names that are invalid identifiers from the
+ environment. */
+- if (legal_identifier (name))
+- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
++ if (absolute_program (tname) == 0 && (posixly_correct == 0 || legal_identifier (tname)))
++ parse_and_execute (temp_string, tname, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+
+- if (temp_var = find_function (name))
++ if (temp_var = find_function (tname))
+ {
+ VSETATTR (temp_var, (att_exported|att_imported));
+ array_needs_making = 1;
+ }
+ else
+- report_error (_("error importing function definition for `%s'"), name);
++ report_error (_("error importing function definition for `%s'"), tname);
++
++ /* Restore original suffix */
++ tname[namelen] = BASHFUNC_SUFFIX[0];
+ }
+ #if defined (ARRAY_VARS)
+ # if 0
+@@ -2207,7 +2226,7 @@ assign_in_env (word)
+ var->context = variable_context; /* XXX */
+
+ INVALIDATE_EXPORTSTR (var);
+- var->exportstr = mk_env_string (name, value);
++ var->exportstr = mk_env_string (name, value, 0);
+
+ array_needs_making = 1;
+
+@@ -2998,21 +3017,42 @@ merge_temporary_env ()
+ /* **************************************************************** */
+
+ static inline char *
+-mk_env_string (name, value)
++mk_env_string (name, value, isfunc)
+ const char *name, *value;
++ int isfunc;
+ {
+- int name_len, value_len;
+- char *p;
++ size_t name_len, value_len;
++ char *p, *q;
+
+ name_len = strlen (name);
+ value_len = STRLEN (value);
+- p = (char *)xmalloc (2 + name_len + value_len);
+- strcpy (p, name);
+- p[name_len] = '=';
++
++ /* If we are exporting a shell function, construct the encoded function
++ name. */
++ if (isfunc && value)
++ {
++ p = (char *)xmalloc (BASHFUNC_PREFLEN + name_len + BASHFUNC_SUFFLEN + value_len + 2);
++ q = p;
++ memcpy (q, BASHFUNC_PREFIX, BASHFUNC_PREFLEN);
++ q += BASHFUNC_PREFLEN;
++ memcpy (q, name, name_len);
++ q += name_len;
++ memcpy (q, BASHFUNC_SUFFIX, BASHFUNC_SUFFLEN);
++ q += BASHFUNC_SUFFLEN;
++ }
++ else
++ {
++ p = (char *)xmalloc (2 + name_len + value_len);
++ memcpy (p, name, name_len);
++ q = p + name_len;
++ }
++
++ q[0] = '=';
+ if (value && *value)
+- strcpy (p + name_len + 1, value);
++ memcpy (q + 1, value, value_len + 1);
+ else
+- p[name_len + 1] = '\0';
++ q[1] = '\0';
++
+ return (p);
+ }
+
+@@ -3087,7 +3127,7 @@ make_env_array_from_var_list (vars)
+ /* Gee, I'd like to get away with not using savestring() if we're
+ using the cached exportstr... */
+ list[list_index] = USE_EXPORTSTR ? savestring (value)
+- : mk_env_string (var->name, value);
++ : mk_env_string (var->name, value, function_p (var));
+
+ if (USE_EXPORTSTR == 0)
+ SAVE_EXPORTSTR (var, list[list_index]);
+--
+1.9.1
+
diff --git a/patches/bash-3.2.48/series b/patches/bash-3.2.48/series
index 0ede824..9ae2d65 100644
--- a/patches/bash-3.2.48/series
+++ b/patches/bash-3.2.48/series
@@ -2,3 +2,5 @@
0002-bash-3.2-patch50.patch
0003-bash-3.2-patch51.patch
0004-bash-3.2-patch52.patch
+0005-bash-3.2-patch53.patch
+0006-bash-3.2-patch54.patch
--
1.9.1
--
ptxdist mailing list
ptxdist@pengutronix.de
next reply other threads:[~2014-09-29 9:45 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-29 9:45 Bruno Thomsen [this message]
2014-10-01 10:40 ` Michael Olbrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1411983910-10500-1-git-send-email-bth@kamstrup.dk \
--to=bth@kamstrup.dk \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox