From f195dcf02cbd18092352a954f70634ec01784a69 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Fri, 26 Sep 2014 11:02:14 +0200 Subject: [PATCH] bash: Update to 4.3.26 * Fixes CVE-2014-7169. * Fix two out-of-bounds array accesses in the bash parser * Add prefix & suffix to variables containing exported functions Ref: http://seclists.org/oss-sec/2014/q3/712 Signed-off-by: Jo-Philipp Wich --- utils/bash/Makefile | 2 +- .../patches/126-upstream-bash43-026.patch | 54 +++++++ .../bash/patches/200-redhat-parser-oob.patch | 83 ++++++++++ .../patches/201-redhat-variable-affix.patch | 148 ++++++++++++++++++ 4 files changed, 286 insertions(+), 1 deletion(-) create mode 100644 utils/bash/patches/126-upstream-bash43-026.patch create mode 100644 utils/bash/patches/200-redhat-parser-oob.patch create mode 100644 utils/bash/patches/201-redhat-variable-affix.patch diff --git a/utils/bash/Makefile b/utils/bash/Makefile index 1489af708..d2d5d6cbc 100644 --- a/utils/bash/Makefile +++ b/utils/bash/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk BASE_VERSION:=4.3 PKG_NAME:=bash -PKG_VERSION:=$(BASE_VERSION).25 +PKG_VERSION:=$(BASE_VERSION).26 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(BASE_VERSION).tar.gz diff --git a/utils/bash/patches/126-upstream-bash43-026.patch b/utils/bash/patches/126-upstream-bash43-026.patch new file mode 100644 index 000000000..dabf771f1 --- /dev/null +++ b/utils/bash/patches/126-upstream-bash43-026.patch @@ -0,0 +1,54 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.3 +Patch-ID: bash43-026 + +Bug-Reported-by: Tavis Ormandy +Bug-Reference-ID: +Bug-Reference-URL: http://twitter.com/taviso/statuses/514887394294652929 + +Bug-Description: + +Under certain circumstances, bash can incorrectly save a lookahead character and +return it on a subsequent call, even when reading a new line. + +Patch (apply with `patch -p0'): + +--- a/parse.y ++++ b/parse.y +@@ -2953,6 +2953,8 @@ reset_parser () + FREE (word_desc_to_read); + word_desc_to_read = (WORD_DESC *)NULL; + ++ eol_ungetc_lookahead = 0; ++ + current_token = '\n'; /* XXX */ + last_read_token = '\n'; + token_to_read = '\n'; +--- a/y.tab.c ++++ b/y.tab.c +@@ -5265,6 +5265,8 @@ reset_parser () + FREE (word_desc_to_read); + word_desc_to_read = (WORD_DESC *)NULL; + ++ eol_ungetc_lookahead = 0; ++ + current_token = '\n'; /* XXX */ + last_read_token = '\n'; + token_to_read = '\n'; +@@ -8539,4 +8541,3 @@ set_line_mbstate () + } + } + #endif /* HANDLE_MULTIBYTE */ +- +--- a/patchlevel.h ++++ b/patchlevel.h +@@ -25,6 +25,6 @@ + regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh + looks for to find the patch level (for the sccs version string). */ + +-#define PATCHLEVEL 25 ++#define PATCHLEVEL 26 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/utils/bash/patches/200-redhat-parser-oob.patch b/utils/bash/patches/200-redhat-parser-oob.patch new file mode 100644 index 000000000..9e00cd84c --- /dev/null +++ b/utils/bash/patches/200-redhat-parser-oob.patch @@ -0,0 +1,83 @@ +--- a/parse.y ++++ b/parse.y +@@ -265,9 +265,21 @@ int parser_state; + + /* Variables to manage the task of reading here documents, because we need to + defer the reading until after a complete command has been collected. */ +-static REDIRECT *redir_stack[10]; ++static REDIRECT **redir_stack; + int need_here_doc; + ++/* Pushes REDIR onto redir_stack, resizing it as needed. */ ++static void ++push_redir_stack (REDIRECT *redir) ++{ ++ /* Guard against oveflow. */ ++ if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack)) ++ abort (); ++ redir_stack = xrealloc (redir_stack, ++ (need_here_doc + 1) * sizeof (*redir_stack)); ++ redir_stack[need_here_doc++] = redir; ++} ++ + /* Where shell input comes from. History expansion is performed on each + line when the shell is interactive. */ + static char *shell_input_line = (char *)NULL; +@@ -520,42 +532,42 @@ redirection: '>' WORD + source.dest = 0; + redir.filename = $2; + $$ = make_redirection (source, r_reading_until, redir, 0); +- redir_stack[need_here_doc++] = $$; ++ push_redir_stack ($$); + } + | NUMBER LESS_LESS WORD + { + source.dest = $1; + redir.filename = $3; + $$ = make_redirection (source, r_reading_until, redir, 0); +- redir_stack[need_here_doc++] = $$; ++ push_redir_stack ($$); + } + | REDIR_WORD LESS_LESS WORD + { + source.filename = $1; + redir.filename = $3; + $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); +- redir_stack[need_here_doc++] = $$; ++ push_redir_stack ($$); + } + | LESS_LESS_MINUS WORD + { + source.dest = 0; + redir.filename = $2; + $$ = make_redirection (source, r_deblank_reading_until, redir, 0); +- redir_stack[need_here_doc++] = $$; ++ push_redir_stack ($$); + } + | NUMBER LESS_LESS_MINUS WORD + { + source.dest = $1; + redir.filename = $3; + $$ = make_redirection (source, r_deblank_reading_until, redir, 0); +- redir_stack[need_here_doc++] = $$; ++ push_redir_stack ($$); + } + | REDIR_WORD LESS_LESS_MINUS WORD + { + source.filename = $1; + redir.filename = $3; + $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); +- redir_stack[need_here_doc++] = $$; ++ push_redir_stack ($$); + } + | LESS_LESS_LESS WORD + { +@@ -4905,7 +4917,7 @@ got_token: + case CASE: + case SELECT: + case FOR: +- if (word_top < MAX_CASE_NEST) ++ if (word_top + 1 < MAX_CASE_NEST) + word_top++; + word_lineno[word_top] = line_number; + break; diff --git a/utils/bash/patches/201-redhat-variable-affix.patch b/utils/bash/patches/201-redhat-variable-affix.patch new file mode 100644 index 000000000..7842213c6 --- /dev/null +++ b/utils/bash/patches/201-redhat-variable-affix.patch @@ -0,0 +1,148 @@ +--- a/variables.c ++++ b/variables.c +@@ -279,7 +279,7 @@ static void push_temp_var __P((PTR_T)); + static void propagate_temp_var __P((PTR_T)); + static void dispose_temporary_env __P((sh_free_func_t *)); + +-static inline char *mk_env_string __P((const char *, const char *)); ++static inline char *mk_env_string __P((const char *, const char *, int)); + static char **make_env_array_from_var_list __P((SHELL_VAR **)); + static char **make_var_export_array __P((VAR_CONTEXT *)); + static char **make_func_export_array __P((void)); +@@ -312,6 +312,14 @@ create_variable_tables () + #endif + } + ++/* Prefix and suffix for environment variable names which contain ++ shell functions. */ ++#define FUNCDEF_PREFIX "BASH_FUNC_" ++#define FUNCDEF_PREFIX_LEN (strlen (FUNCDEF_PREFIX)) ++#define FUNCDEF_SUFFIX "()" ++#define FUNCDEF_SUFFIX_LEN (strlen (FUNCDEF_SUFFIX)) ++ ++ + /* Initialize the shell variables from the current environment. + If PRIVMODE is nonzero, don't import functions from ENV or + parse $SHELLOPTS. */ +@@ -349,22 +357,31 @@ initialize_shell_variables (env, privmod + + /* If exported function, define it now. Don't import functions from + the environment in privileged mode. */ +- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4)) +- { +- string_length = strlen (string); +- temp_string = (char *)xmalloc (3 + string_length + char_index); ++ if (privmode == 0 && read_but_dont_execute == 0 ++ && STREQN (FUNCDEF_PREFIX, name, FUNCDEF_PREFIX_LEN) ++ && STREQ (name + char_index - FUNCDEF_SUFFIX_LEN, FUNCDEF_SUFFIX) ++ && STREQN ("() {", string, 4)) ++ { ++ size_t name_length ++ = char_index - (FUNCDEF_PREFIX_LEN + FUNCDEF_SUFFIX_LEN); ++ char *temp_name = name + FUNCDEF_PREFIX_LEN; ++ /* Temporarily remove the suffix. */ ++ temp_name[name_length] = '\0'; + +- strcpy (temp_string, name); +- temp_string[char_index] = ' '; +- strcpy (temp_string + char_index + 1, string); ++ string_length = strlen (string); ++ temp_string = (char *)xmalloc (name_length + 1 + string_length + 1); ++ memcpy (temp_string, temp_name, name_length); ++ temp_string[name_length] = ' '; ++ memcpy (temp_string + name_length + 1, string, string_length + 1); + + /* Don't import function names that are invalid identifiers from the + environment, though we still allow them to be defined as shell + variables. */ +- if (legal_identifier (name)) +- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); ++ if (legal_identifier (temp_name)) ++ parse_and_execute (temp_string, temp_name, ++ SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + +- if (temp_var = find_function (name)) ++ if (temp_var = find_function (temp_name)) + { + VSETATTR (temp_var, (att_exported|att_imported)); + array_needs_making = 1; +@@ -379,6 +396,9 @@ initialize_shell_variables (env, privmod + last_command_exit_value = 1; + report_error (_("error importing function definition for `%s'"), name); + } ++ ++ /* Restore the original suffix. */ ++ temp_name[name_length] = FUNCDEF_SUFFIX[0]; + } + #if defined (ARRAY_VARS) + # if ARRAY_EXPORT +@@ -2954,7 +2974,7 @@ assign_in_env (word, flags) + var->context = variable_context; /* XXX */ + + INVALIDATE_EXPORTSTR (var); +- var->exportstr = mk_env_string (name, value); ++ var->exportstr = mk_env_string (name, value, 0); + + array_needs_making = 1; + +@@ -3851,22 +3871,43 @@ merge_temporary_env () + /* */ + /* **************************************************************** */ + ++/* Returns the string NAME=VALUE if !FUNCTIONP or if VALUE == NULL (in ++ which case it is treated as empty). Otherwise, decorate NAME with ++ FUNCDEF_PREFIX and FUNCDEF_SUFFIX, and return a string of the form ++ FUNCDEF_PREFIX NAME FUNCDEF_SUFFIX = VALUE (without spaces). */ + static inline char * +-mk_env_string (name, value) ++mk_env_string (name, value, functionp) + const char *name, *value; ++ int functionp; + { +- int name_len, value_len; +- char *p; ++ size_t name_len, value_len; ++ char *p, *q; + + name_len = strlen (name); + value_len = STRLEN (value); +- p = (char *)xmalloc (2 + name_len + value_len); +- strcpy (p, name); +- p[name_len] = '='; ++ if (functionp && value != NULL) ++ { ++ p = (char *)xmalloc (FUNCDEF_PREFIX_LEN + name_len + FUNCDEF_SUFFIX_LEN ++ + 1 + value_len + 1); ++ q = p; ++ memcpy (q, FUNCDEF_PREFIX, FUNCDEF_PREFIX_LEN); ++ q += FUNCDEF_PREFIX_LEN; ++ memcpy (q, name, name_len); ++ q += name_len; ++ memcpy (q, FUNCDEF_SUFFIX, FUNCDEF_SUFFIX_LEN); ++ q += FUNCDEF_SUFFIX_LEN; ++ } ++ else ++ { ++ p = (char *)xmalloc (name_len + 1 + value_len + 1); ++ memcpy (p, name, name_len); ++ q = p + name_len; ++ } ++ q[0] = '='; + if (value && *value) +- strcpy (p + name_len + 1, value); ++ memcpy (q + 1, value, value_len + 1); + else +- p[name_len + 1] = '\0'; ++ q[1] = '\0'; + return (p); + } + +@@ -3952,7 +3993,7 @@ make_env_array_from_var_list (vars) + /* Gee, I'd like to get away with not using savestring() if we're + using the cached exportstr... */ + list[list_index] = USE_EXPORTSTR ? savestring (value) +- : mk_env_string (var->name, value); ++ : mk_env_string (var->name, value, function_p (var)); + + if (USE_EXPORTSTR == 0) + SAVE_EXPORTSTR (var, list[list_index]);