[bash/f21] Inhibit code injection - patch by Stephane Chazelas
Ondrej Oprala
ooprala at fedoraproject.org
Wed Sep 24 14:04:35 UTC 2014
commit 73b56521eed5415e99ffdb81375d76a7a40f92d6
Author: Ondrej Oprala <ooprala at redhat.com>
Date: Wed Sep 24 14:10:57 2014 +0200
Inhibit code injection - patch by Stephane Chazelas
bash-4.3-cve-2014-6271.patch | 91 ++++++++++++++++++++++++++++++++++++++++++
bash.spec | 8 +++-
2 files changed, 98 insertions(+), 1 deletions(-)
---
diff --git a/bash-4.3-cve-2014-6271.patch b/bash-4.3-cve-2014-6271.patch
new file mode 100644
index 0000000..7859d40
--- /dev/null
+++ b/bash-4.3-cve-2014-6271.patch
@@ -0,0 +1,91 @@
+*** ../bash-4.3-patched/builtins/common.h 2013-07-08 16:54:47.000000000 -0400
+--- builtins/common.h 2014-09-12 14:25:47.000000000 -0400
+***************
+*** 34,37 ****
+--- 49,54 ----
+ #define SEVAL_PARSEONLY 0x020
+ #define SEVAL_NOLONGJMP 0x040
++ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
++ #define SEVAL_ONECMD 0x100 /* only allow a single command */
+
+ /* Flags for describe_command, shared between type.def and command.def */
+*** ../bash-4.3-patched/builtins/evalstring.c 2014-02-11 09:42:10.000000000 -0500
+--- builtins/evalstring.c 2014-09-14 14:15:13.000000000 -0400
+***************
+*** 309,312 ****
+--- 313,324 ----
+ struct fd_bitmap *bitmap;
+
++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
++ {
++ internal_warning ("%s: ignoring function definition attempt", from_file);
++ should_jump_to_top_level = 0;
++ last_result = last_command_exit_value = EX_BADUSAGE;
++ break;
++ }
++
+ bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+ begin_unwind_frame ("pe_dispose");
+***************
+*** 369,372 ****
+--- 381,387 ----
+ dispose_fd_bitmap (bitmap);
+ discard_unwind_frame ("pe_dispose");
++
++ if (flags & SEVAL_ONECMD)
++ break;
+ }
+ }
+*** ../bash-4.3-patched/variables.c 2014-05-15 08:26:50.000000000 -0400
+--- variables.c 2014-09-14 14:23:35.000000000 -0400
+***************
+*** 359,369 ****
+ strcpy (temp_string + char_index + 1, string);
+
+! if (posixly_correct == 0 || legal_identifier (name))
+! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+!
+! /* Ancient backwards compatibility. Old versions of bash exported
+! functions like name()=() {...} */
+! if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+! name[char_index - 2] = '\0';
+
+ if (temp_var = find_function (name))
+--- 364,372 ----
+ strcpy (temp_string + char_index + 1, string);
+
+! /* Don't import function names that are invalid identifiers from the
+! environment, though we still allow them to be defined as shell
+! variables. */
+! if (legal_identifier (name))
+! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+
+ if (temp_var = find_function (name))
+***************
+*** 382,389 ****
+ report_error (_("error importing function definition for `%s'"), name);
+ }
+-
+- /* ( */
+- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+- name[char_index - 2] = '('; /* ) */
+ }
+ #if defined (ARRAY_VARS)
+--- 385,388 ----
+*** ../bash-4.3-patched/subst.c 2014-08-11 11:16:35.000000000 -0400
+--- subst.c 2014-09-12 15:31:04.000000000 -0400
+***************
+*** 8048,8052 ****
+ goto return0;
+ }
+! else if (var = find_variable_last_nameref (temp1))
+ {
+ temp = nameref_cell (var);
+--- 8118,8124 ----
+ goto return0;
+ }
+! else if (var && (invisible_p (var) || var_isset (var) == 0))
+! temp = (char *)NULL;
+! else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
+ {
+ temp = nameref_cell (var);
diff --git a/bash.spec b/bash.spec
index 4aa9e3e..4a54f9c 100644
--- a/bash.spec
+++ b/bash.spec
@@ -7,7 +7,7 @@
Version: %{baseversion}%{patchleveltag}
Name: bash
Summary: The GNU Bourne Again shell
-Release: 2%{?dist}
+Release: 3%{?dist}
Group: System Environment/Shells
License: GPLv3+
Url: http://www.gnu.org/software/bash
@@ -101,6 +101,8 @@ Patch134: bash-4.3-pathexp-globignore-delim.patch
# 1102815 - fix double echoes in vi visual mode
Patch135: bash-4.3-noecho.patch
+Patch136: bash-4.3-cve-2014-6271.patch
+
BuildRequires: texinfo bison
BuildRequires: ncurses-devel
BuildRequires: autoconf, gettext
@@ -180,6 +182,7 @@ This package contains documentation files for %{name}.
%patch131 -p0 -b .keyword
%patch134 -p0 -b .delim
%patch135 -p1 -b .noecho
+%patch136 -p0 -b .6271
echo %{version} > _distribution
echo %{release} > _patchlevel
@@ -375,6 +378,9 @@ end
%doc doc/*.ps doc/*.0 doc/*.html doc/article.txt
%changelog
+* Wed Sep 24 2014 Ondrej Oprala <ooprala at redhat.com> - 4.3.22-3
+- Inhibit code injection - patch by Stephane Chazelas
+
* Fri Aug 15 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 4.3.22-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
More information about the scm-commits
mailing list