blob: ed63916669534a68e1f6ccb3566e3fb291533ae7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
bash: Fix CVE-2014-6277 (shellshock)
Upstream-status: backport
Downloaded from:
ftp://ftp.gnu.org/pub/bash/bash-3.2-patches/bash32-056
Author: Chet Ramey <chet.ramey@case.edu>
Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
BASH PATCH REPORT
=================
Bash-Release: 3.2
Patch-ID: bash32-056
Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
Bug-Reference-ID:
Bug-Reference-URL:
Bug-Description:
When bash is parsing a function definition that contains a here-document
delimited by end-of-file (or end-of-string), it leaves the closing delimiter
uninitialized. This can result in an invalid memory access when the parsed
function is later copied.
---
--- a/make_cmd.c 2006-09-12 09:21:22.000000000 -0400
+++ b/make_cmd.c 2014-10-02 11:41:40.000000000 -0400
@@ -677,4 +677,5 @@
temp->redirector = source;
temp->redirectee = dest_and_filename;
+ temp->here_doc_eof = 0;
temp->instruction = instruction;
temp->flags = 0;
--- a/copy_cmd.c 2003-10-07 11:43:44.000000000 -0400
+++ b/copy_cmd.c 2014-10-02 11:41:40.000000000 -0400
@@ -117,5 +117,5 @@
case r_reading_until:
case r_deblank_reading_until:
- new_redirect->here_doc_eof = savestring (redirect->here_doc_eof);
+ new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0;
/*FALLTHROUGH*/
case r_reading_string:
|
