diff options
author | Catalin Popeanga <Catalin.Popeanga@enea.com> | 2014-10-09 14:24:29 +0200 |
---|---|---|
committer | Paul Eggleton <paul.eggleton@linux.intel.com> | 2014-10-12 21:24:36 +0100 |
commit | bdfe1e3770aeee9a1a7c65d4834f1a99820d3140 (patch) | |
tree | 54370e45086ad8b78c8ddaa1650e1da7f5bd6ddb /meta/recipes-extended/bash/bash-3.2.48 | |
parent | af1f65b57dbfcaf5fc7c254dce80ac55f3a632cb (diff) | |
download | openembedded-core-contrib-bdfe1e3770aeee9a1a7c65d4834f1a99820d3140.tar.gz |
bash: Fix for CVE-2014-7186 and CVE-2014-7187
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
(From OE-Core daisy rev: 153d1125659df9e5c09e35a58bd51be184cb13c1)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Diffstat (limited to 'meta/recipes-extended/bash/bash-3.2.48')
-rw-r--r-- | meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch new file mode 100644 index 00000000000..dcb8ea44c5b --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch @@ -0,0 +1,99 @@ +bash: Fix for CVE-2014-7186 and CVE-2014-7187 + +Upstream-Status: Backport {GNU Patch-ID: bash32-055} + +Downloaded from: http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-055 + +Author: Chet Ramey <chet.ramey@case.edu> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> + + BASH PATCH REPORT + ================= + +Bash-Release: 3.2 +Patch-ID: bash32-055 + +Bug-Reported-by: Florian Weimer <fweimer@redhat.com> +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +There are two local buffer overflows in parse.y that can cause the shell +to dump core when given many here-documents attached to a single command +or many nested loops. +--- +--- a/parse.y 2014-09-27 12:17:16.000000000 -0400 ++++ b/parse.y 2014-09-30 19:43:22.000000000 -0400 +@@ -166,4 +166,7 @@ + static int reserved_word_acceptable __P((int)); + static int yylex __P((void)); ++ ++static void push_heredoc __P((REDIRECT *)); ++static char *mk_alexpansion __P((char *)); + static int alias_expand_token __P((char *)); + static int time_command_acceptable __P((void)); +@@ -254,5 +257,7 @@ + /* Variables to manage the task of reading here documents, because we need to + defer the reading until after a complete command has been collected. */ +-static REDIRECT *redir_stack[10]; ++#define HEREDOC_MAX 16 ++ ++static REDIRECT *redir_stack[HEREDOC_MAX]; + int need_here_doc; + +@@ -280,5 +285,5 @@ + index is decremented after a case, select, or for command is parsed. */ + #define MAX_CASE_NEST 128 +-static int word_lineno[MAX_CASE_NEST]; ++static int word_lineno[MAX_CASE_NEST+1]; + static int word_top = -1; + +@@ -425,5 +430,5 @@ + redir.filename = $2; + $$ = make_redirection (0, r_reading_until, redir); +- redir_stack[need_here_doc++] = $$; ++ push_heredoc ($$); + } + | NUMBER LESS_LESS WORD +@@ -431,5 +436,5 @@ + redir.filename = $3; + $$ = make_redirection ($1, r_reading_until, redir); +- redir_stack[need_here_doc++] = $$; ++ push_heredoc ($$); + } + | LESS_LESS_LESS WORD +@@ -488,5 +493,5 @@ + $$ = make_redirection + (0, r_deblank_reading_until, redir); +- redir_stack[need_here_doc++] = $$; ++ push_heredoc ($$); + } + | NUMBER LESS_LESS_MINUS WORD +@@ -495,5 +500,5 @@ + $$ = make_redirection + ($1, r_deblank_reading_until, redir); +- redir_stack[need_here_doc++] = $$; ++ push_heredoc ($$); + } + | GREATER_AND '-' +@@ -2214,4 +2219,19 @@ + static int esacs_needed_count; + ++static void ++push_heredoc (r) ++ REDIRECT *r; ++{ ++ if (need_here_doc >= HEREDOC_MAX) ++ { ++ last_command_exit_value = EX_BADUSAGE; ++ need_here_doc = 0; ++ report_syntax_error (_("maximum here-document count exceeded")); ++ reset_parser (); ++ exit_shell (last_command_exit_value); ++ } ++ redir_stack[need_here_doc++] = r; ++} ++ + void + gather_here_documents () |