diff options
Diffstat (limited to 'meta/recipes-core/eglibc/eglibc-2.19/CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch')
| -rw-r--r-- | meta/recipes-core/eglibc/eglibc-2.19/CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch | 216 |
1 files changed, 216 insertions, 0 deletions
diff --git a/meta/recipes-core/eglibc/eglibc-2.19/CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch b/meta/recipes-core/eglibc/eglibc-2.19/CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch new file mode 100644 index 0000000000..2741ce621b --- /dev/null +++ b/meta/recipes-core/eglibc/eglibc-2.19/CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch @@ -0,0 +1,216 @@ +From a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c Mon Sep 17 00:00:00 2001 +From: Carlos O'Donell <carlos@redhat.com> +Date: Wed, 19 Nov 2014 11:44:12 -0500 +Subject: [PATCH] CVE-2014-7817: wordexp fails to honour WRDE_NOCMD. + +The function wordexp() fails to properly handle the WRDE_NOCMD +flag when processing arithmetic inputs in the form of "$((... ``))" +where "..." can be anything valid. The backticks in the arithmetic +epxression are evaluated by in a shell even if WRDE_NOCMD forbade +command substitution. This allows an attacker to attempt to pass +dangerous commands via constructs of the above form, and bypass +the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD +in exec_comm(), the only place that can execute a shell. All other +checks for WRDE_NOCMD are superfluous and removed. + +We expand the testsuite and add 3 new regression tests of roughly +the same form but with a couple of nested levels. + +On top of the 3 new tests we add fork validation to the WRDE_NOCMD +testing. If any forks are detected during the execution of a wordexp() +call with WRDE_NOCMD, the test is marked as failed. This is slightly +heuristic since vfork might be used in the future, but it provides a +higher level of assurance that no shells were executed as part of +command substitution with WRDE_NOCMD in effect. In addition it doesn't +require libpthread or libdl, instead we use the public implementation +namespace function __register_atfork (already part of the public ABI +for libpthread). + +Tested on x86_64 with no regressions. +--- + ChangeLog | 22 ++++++++++++++++++++++ + NEWS | 8 +++++++- + posix/wordexp-test.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ + posix/wordexp.c | 16 ++++------------ + 4 files changed, 77 insertions(+), 13 deletions(-) + +Index: libc/ChangeLog +=================================================================== +--- libc.orig/ChangeLog ++++ libc/ChangeLog +@@ -1,3 +1,25 @@ ++2014-11-19 Carlos O'Donell <carlos@redhat.com> ++ Florian Weimer <fweimer@redhat.com> ++ Joseph Myers <joseph@codesourcery.com> ++ Adam Conrad <adconrad@0c3.net> ++ Andreas Schwab <schwab@suse.de> ++ Brooks <bmoses@google.com> ++ ++ [BZ #17625] ++ * wordexp-test.c (__dso_handle): Add prototype. ++ (__register_atfork): Likewise. ++ (__app_register_atfork): New function. ++ (registered_forks): New global. ++ (register_fork): New function. ++ (test_case): Add 3 new tests for WRDE_CMDSUB. ++ (main): Call __app_register_atfork. ++ (testit): If WRDE_NOCMD set registered_forks to zero, run test, and if ++ fork count is non-zero fail the test. ++ * posix/wordexp.c (exec_comm): Return WRDE_CMDSUB if WRDE_NOCMD flag ++ is set. ++ (parse_dollars): Remove check for WRDE_NOCMD. ++ (parse_dquote): Likewise. ++ + 2014-08-26 Florian Weimer <fweimer@redhat.com> + + [BZ #17187] +Index: libc/posix/wordexp-test.c +=================================================================== +--- libc.orig/posix/wordexp-test.c ++++ libc/posix/wordexp-test.c +@@ -27,6 +27,25 @@ + + #define IFS " \n\t" + ++extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden"))); ++extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *); ++ ++static int __app_register_atfork (void (*prepare) (void), void (*parent) (void), void (*child) (void)) ++{ ++ return __register_atfork (prepare, parent, child, ++ &__dso_handle == NULL ? NULL : __dso_handle); ++} ++ ++/* Number of forks seen. */ ++static int registered_forks; ++ ++/* For each fork increment the fork count. */ ++static void ++register_fork (void) ++{ ++ registered_forks++; ++} ++ + struct test_case_struct + { + int retval; +@@ -206,6 +225,12 @@ struct test_case_struct + { WRDE_SYNTAX, NULL, "$((2+))", 0, 0, { NULL, }, IFS }, + { WRDE_SYNTAX, NULL, "`", 0, 0, { NULL, }, IFS }, + { WRDE_SYNTAX, NULL, "$((010+4+))", 0, 0, { NULL }, IFS }, ++ /* Test for CVE-2014-7817. We test 3 combinations of command ++ substitution inside an arithmetic expression to make sure that ++ no commands are executed and error is returned. */ ++ { WRDE_CMDSUB, NULL, "$((`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS }, ++ { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS }, ++ { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS }, + + { -1, NULL, NULL, 0, 0, { NULL, }, IFS }, + }; +@@ -258,6 +283,15 @@ main (int argc, char *argv[]) + return -1; + } + ++ /* If we are not allowed to do command substitution, we install ++ fork handlers to verify that no forks happened. No forks should ++ happen at all if command substitution is disabled. */ ++ if (__app_register_atfork (register_fork, NULL, NULL) != 0) ++ { ++ printf ("Failed to register fork handler.\n"); ++ return -1; ++ } ++ + for (test = 0; test_case[test].retval != -1; test++) + if (testit (&test_case[test])) + ++fail; +@@ -367,6 +401,9 @@ testit (struct test_case_struct *tc) + + printf ("Test %d (%s): ", ++tests, tc->words); + ++ if (tc->flags & WRDE_NOCMD) ++ registered_forks = 0; ++ + if (tc->flags & WRDE_APPEND) + { + /* initial wordexp() call, to be appended to */ +@@ -378,6 +415,13 @@ testit (struct test_case_struct *tc) + } + retval = wordexp (tc->words, &we, tc->flags); + ++ if ((tc->flags & WRDE_NOCMD) ++ && (registered_forks > 0)) ++ { ++ printf ("FAILED fork called for WRDE_NOCMD\n"); ++ return 1; ++ } ++ + if (tc->flags & WRDE_DOOFFS) + start_offs = sav_we.we_offs; + +Index: libc/posix/wordexp.c +=================================================================== +--- libc.orig/posix/wordexp.c ++++ libc/posix/wordexp.c +@@ -893,6 +893,10 @@ exec_comm (char *comm, char **word, size + pid_t pid; + int noexec = 0; + ++ /* Do nothing if command substitution should not succeed. */ ++ if (flags & WRDE_NOCMD) ++ return WRDE_CMDSUB; ++ + /* Don't fork() unless necessary */ + if (!comm || !*comm) + return 0; +@@ -2082,9 +2086,6 @@ parse_dollars (char **word, size_t *word + } + } + +- if (flags & WRDE_NOCMD) +- return WRDE_CMDSUB; +- + (*offset) += 2; + return parse_comm (word, word_length, max_length, words, offset, flags, + quoted? NULL : pwordexp, ifs, ifs_white); +@@ -2196,9 +2197,6 @@ parse_dquote (char **word, size_t *word_ + break; + + case '`': +- if (flags & WRDE_NOCMD) +- return WRDE_CMDSUB; +- + ++(*offset); + error = parse_backtick (word, word_length, max_length, words, + offset, flags, NULL, NULL, NULL); +@@ -2357,12 +2355,6 @@ wordexp (const char *words, wordexp_t *p + break; + + case '`': +- if (flags & WRDE_NOCMD) +- { +- error = WRDE_CMDSUB; +- goto do_error; +- } +- + ++words_offset; + error = parse_backtick (&word, &word_length, &max_length, words, + &words_offset, flags, pwordexp, ifs, +Index: libc/NEWS +=================================================================== +--- libc.orig/NEWS ++++ libc/NEWS +@@ -26,7 +26,13 @@ Version 2.19 + 16271, 16274, 16283, 16289, 16293, 16314, 16316, 16330, 16337, 16338, + 16356, 16365, 16366, 16369, 16372, 16375, 16379, 16384, 16385, 16386, + 16387, 16390, 16394, 16398, 16400, 16407, 16408, 16414, 16430, 16431, +- 16453, 16474, 16506, 16510, 16529, 17187 ++ 16453, 16474, 16506, 16510, 16529, 17187, 17625. ++ ++* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag ++ under certain input conditions resulting in the execution of a shell for ++ command substitution when the applicaiton did not request it. The ++ implementation now checks WRDE_NOCMD immediately before executing the ++ shell and returns the error WRDE_CMDSUB as expected. + + * Slovenian translations for glibc messages have been contributed by the + Translation Project's Slovenian team of translators. |