aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/bash/bash-3.2.48
diff options
context:
space:
mode:
authorCatalin Popeanga <Catalin.Popeanga@enea.com>2014-10-09 14:24:29 +0200
committerPaul Eggleton <paul.eggleton@linux.intel.com>2014-10-12 21:24:36 +0100
commitbdfe1e3770aeee9a1a7c65d4834f1a99820d3140 (patch)
tree54370e45086ad8b78c8ddaa1650e1da7f5bd6ddb /meta/recipes-extended/bash/bash-3.2.48
parentaf1f65b57dbfcaf5fc7c254dce80ac55f3a632cb (diff)
downloadopenembedded-core-contrib-bdfe1e3770aeee9a1a7c65d4834f1a99820d3140.tar.gz
bash: Fix for CVE-2014-7186 and CVE-2014-7187
This is a followup patch to incomplete CVE-2014-6271 fix code execution via specially-crafted environment https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 (From OE-Core daisy rev: 153d1125659df9e5c09e35a58bd51be184cb13c1) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Diffstat (limited to 'meta/recipes-extended/bash/bash-3.2.48')
-rw-r--r--meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch99
1 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch
new file mode 100644
index 00000000000..dcb8ea44c5b
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch
@@ -0,0 +1,99 @@
+bash: Fix for CVE-2014-7186 and CVE-2014-7187
+
+Upstream-Status: Backport {GNU Patch-ID: bash32-055}
+
+Downloaded from: http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-055
+
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 3.2
+Patch-ID: bash32-055
+
+Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+There are two local buffer overflows in parse.y that can cause the shell
+to dump core when given many here-documents attached to a single command
+or many nested loops.
+---
+--- a/parse.y 2014-09-27 12:17:16.000000000 -0400
++++ b/parse.y 2014-09-30 19:43:22.000000000 -0400
+@@ -166,4 +166,7 @@
+ static int reserved_word_acceptable __P((int));
+ static int yylex __P((void));
++
++static void push_heredoc __P((REDIRECT *));
++static char *mk_alexpansion __P((char *));
+ static int alias_expand_token __P((char *));
+ static int time_command_acceptable __P((void));
+@@ -254,5 +257,7 @@
+ /* Variables to manage the task of reading here documents, because we need to
+ defer the reading until after a complete command has been collected. */
+-static REDIRECT *redir_stack[10];
++#define HEREDOC_MAX 16
++
++static REDIRECT *redir_stack[HEREDOC_MAX];
+ int need_here_doc;
+
+@@ -280,5 +285,5 @@
+ index is decremented after a case, select, or for command is parsed. */
+ #define MAX_CASE_NEST 128
+-static int word_lineno[MAX_CASE_NEST];
++static int word_lineno[MAX_CASE_NEST+1];
+ static int word_top = -1;
+
+@@ -425,5 +430,5 @@
+ redir.filename = $2;
+ $$ = make_redirection (0, r_reading_until, redir);
+- redir_stack[need_here_doc++] = $$;
++ push_heredoc ($$);
+ }
+ | NUMBER LESS_LESS WORD
+@@ -431,5 +436,5 @@
+ redir.filename = $3;
+ $$ = make_redirection ($1, r_reading_until, redir);
+- redir_stack[need_here_doc++] = $$;
++ push_heredoc ($$);
+ }
+ | LESS_LESS_LESS WORD
+@@ -488,5 +493,5 @@
+ $$ = make_redirection
+ (0, r_deblank_reading_until, redir);
+- redir_stack[need_here_doc++] = $$;
++ push_heredoc ($$);
+ }
+ | NUMBER LESS_LESS_MINUS WORD
+@@ -495,5 +500,5 @@
+ $$ = make_redirection
+ ($1, r_deblank_reading_until, redir);
+- redir_stack[need_here_doc++] = $$;
++ push_heredoc ($$);
+ }
+ | GREATER_AND '-'
+@@ -2214,4 +2219,19 @@
+ static int esacs_needed_count;
+
++static void
++push_heredoc (r)
++ REDIRECT *r;
++{
++ if (need_here_doc >= HEREDOC_MAX)
++ {
++ last_command_exit_value = EX_BADUSAGE;
++ need_here_doc = 0;
++ report_syntax_error (_("maximum here-document count exceeded"));
++ reset_parser ();
++ exit_shell (last_command_exit_value);
++ }
++ redir_stack[need_here_doc++] = r;
++}
++
+ void
+ gather_here_documents ()