From d57b9ce8bb97f88c329da973c3567d04d8eb07d2 Mon Sep 17 00:00:00 2001 From: Ross Burton Date: Thu, 2 Oct 2014 11:31:54 +0100 Subject: bash: fix CVE-2014-6271 CVE-2014-6271 aka ShellShock. "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment." (From OE-Core master rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Robert Yang Signed-off-by: Paul Eggleton --- .../bash/bash-3.2.48/cve-2014-6271.patch | 77 ++++++++++++++++++ .../bash/bash-4.2/cve-2014-6271.patch | 95 ++++++++++++++++++++++ meta/recipes-extended/bash/bash_3.2.48.bb | 1 + meta/recipes-extended/bash/bash_4.2.bb | 1 + 4 files changed, 174 insertions(+) create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch create mode 100644 meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch new file mode 100644 index 0000000000..7226ffb665 --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch @@ -0,0 +1,77 @@ +Fix CVE-2014-6271, aka ShellShock. + +Upstream-Status: Backport +Signed-off-by: Ross Burton + +*** ../bash-3.2.51/builtins/common.h 2006-03-06 09:38:44.000000000 -0500 +--- builtins/common.h 2014-09-16 19:08:02.000000000 -0400 +*************** +*** 34,37 **** +--- 34,39 ---- + + /* Flags for describe_command, shared between type.def and command.def */ ++ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ ++ #define SEVAL_ONECMD 0x100 /* only allow a single command */ + #define CDESC_ALL 0x001 /* type -a */ + #define CDESC_SHORTDESC 0x002 /* command -V */ +*** ../bash-3.2.51/builtins/evalstring.c 2008-11-15 17:47:04.000000000 -0500 +--- builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400 +*************** +*** 235,238 **** +--- 235,246 ---- + struct fd_bitmap *bitmap; + ++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) ++ { ++ internal_warning ("%s: ignoring function definition attempt", from_file); ++ should_jump_to_top_level = 0; ++ last_result = last_command_exit_value = EX_BADUSAGE; ++ break; ++ } ++ + bitmap = new_fd_bitmap (FD_BITMAP_SIZE); + begin_unwind_frame ("pe_dispose"); +*************** +*** 292,295 **** +--- 300,306 ---- + dispose_fd_bitmap (bitmap); + discard_unwind_frame ("pe_dispose"); ++ ++ if (flags & SEVAL_ONECMD) ++ break; + } + } +*** ../bash-3.2.51/variables.c 2008-11-15 17:15:06.000000000 -0500 +--- variables.c 2014-09-16 19:10:39.000000000 -0400 +*************** +*** 319,328 **** + strcpy (temp_string + char_index + 1, string); + +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); +! +! /* Ancient backwards compatibility. Old versions of bash exported +! functions like name()=() {...} */ +! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') +! name[char_index - 2] = '\0'; + + if (temp_var = find_function (name)) +--- 319,326 ---- + strcpy (temp_string + char_index + 1, string); + +! /* Don't import function names that are invalid identifiers from the +! environment. */ +! if (legal_identifier (name)) +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + + if (temp_var = find_function (name)) +*************** +*** 333,340 **** + else + report_error (_("error importing function definition for `%s'"), name); +- +- /* ( */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') +- name[char_index - 2] = '('; /* ) */ + } + #if defined (ARRAY_VARS) +--- 331,334 ---- diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch new file mode 100644 index 0000000000..20530adf6c --- /dev/null +++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6271.patch @@ -0,0 +1,95 @@ +Fix CVE-2014-6271, aka ShellShock. This is the upstream 4.2 patchlevel 48, minus the hunk to +set the patch level. + +Upstream-Status: Backport +Signed-off-by: Paul Eggleton + + BASH PATCH REPORT + ================= + +Bash-Release: 4.2 +Patch-ID: bash42-048 + +Bug-Reported-by: Stephane Chazelas +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +Under certain circumstances, bash will execute user code while processing the +environment for exported function definitions. + +Patch (apply with `patch -p0'): + +*** ../bash-4.2.47/builtins/common.h 2010-05-30 18:31:51.000000000 -0400 +--- builtins/common.h 2014-09-16 19:35:45.000000000 -0400 +*************** +*** 36,39 **** +--- 36,41 ---- + + /* Flags for describe_command, shared between type.def and command.def */ ++ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ ++ #define SEVAL_ONECMD 0x100 /* only allow a single command */ + #define CDESC_ALL 0x001 /* type -a */ + #define CDESC_SHORTDESC 0x002 /* command -V */ +*** ../bash-4.2.47/builtins/evalstring.c 2010-11-23 08:22:15.000000000 -0500 +--- builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400 +*************** +*** 262,265 **** +--- 262,273 ---- + struct fd_bitmap *bitmap; + ++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) ++ { ++ internal_warning ("%s: ignoring function definition attempt", from_file); ++ should_jump_to_top_level = 0; ++ last_result = last_command_exit_value = EX_BADUSAGE; ++ break; ++ } ++ + bitmap = new_fd_bitmap (FD_BITMAP_SIZE); + begin_unwind_frame ("pe_dispose"); +*************** +*** 322,325 **** +--- 330,336 ---- + dispose_fd_bitmap (bitmap); + discard_unwind_frame ("pe_dispose"); ++ ++ if (flags & SEVAL_ONECMD) ++ break; + } + } +*** ../bash-4.2.47/variables.c 2011-03-01 16:15:20.000000000 -0500 +--- variables.c 2014-09-16 19:35:45.000000000 -0400 +*************** +*** 348,357 **** + strcpy (temp_string + char_index + 1, string); + +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); +! +! /* Ancient backwards compatibility. Old versions of bash exported +! functions like name()=() {...} */ +! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') +! name[char_index - 2] = '\0'; + + if (temp_var = find_function (name)) +--- 348,355 ---- + strcpy (temp_string + char_index + 1, string); + +! /* Don't import function names that are invalid identifiers from the +! environment. */ +! if (legal_identifier (name)) +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + + if (temp_var = find_function (name)) +*************** +*** 362,369 **** + else + report_error (_("error importing function definition for `%s'"), name); +- +- /* ( */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') +- name[char_index - 2] = '('; /* ) */ + } + #if defined (ARRAY_VARS) +--- 360,363 ---- diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb index 4e6f0f3ea1..cbe1ee6623 100644 --- a/meta/recipes-extended/bash/bash_3.2.48.bb +++ b/meta/recipes-extended/bash/bash_3.2.48.bb @@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \ ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=patch002 \ ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=patch003 \ file://mkbuiltins_have_stringize.patch \ + file://cve-2014-6271.patch;striplevel=0 \ " SRC_URI[tarball.md5sum] = "338dcf975a93640bb3eaa843ca42e3f8" diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb index fefe7b799d..83294b040a 100644 --- a/meta/recipes-extended/bash/bash_4.2.bb +++ b/meta/recipes-extended/bash/bash_4.2.bb @@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \ ${GNU_MIRROR}/bash/bash-4.2-patches/bash42-010;apply=yes;striplevel=0;name=patch010 \ file://execute_cmd.patch;striplevel=0 \ file://mkbuiltins_have_stringize.patch \ + file://cve-2014-6271.patch;striplevel=0 \ file://build-tests.patch \ file://test-output.patch \ file://run-ptest \ -- cgit 1.2.3-korg