diff options
| author |   Sona Sarmadi <sona.sarmadi@enea.com> | 2016-10-10 13:54:35 +0200 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-11-08 23:03:18 +0000 |
| commit | 24455c63494b7030b8a337f0dad98687d15d9ce6 (patch) | |
| tree | af035732856e5a15f83240fec9e1853e4c66089d | |
| parent | cca372506522c1d588f9ebc66c6051089743d2a9 (diff) | |
| download | openembedded-core-contrib-24455c63494b7030b8a337f0dad98687d15d9ce6.tar.gz | |
bash: Security fix CVE-2016-0634
References to upstream patch:
https://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-047
http://openwall.com/lists/oss-security/2016/09/16/8
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | meta/recipes-extended/bash/bash/CVE-2016-0634.patch | 136 | ||||
| -rw-r--r-- | meta/recipes-extended/bash/bash_4.3.30.bb | 1 |
2 files changed, 137 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash/CVE-2016-0634.patch b/meta/recipes-extended/bash/bash/CVE-2016-0634.patch new file mode 100644 index 0000000000..71c033e9a4 --- /dev/null +++ b/meta/recipes-extended/bash/bash/CVE-2016-0634.patch @@ -0,0 +1,136 @@ +Bash-Release: 4.3 +Patch-ID: bash43-047 + +Bug-Reported-by: Bernd Dietzel +Bug-Reference-ID: +Bug-Reference-URL: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025 + +Bug-Description: + +Bash performs word expansions on the prompt strings after the special +escape sequences are expanded. If a malicious user can modify the system +hostname or change the name of the bash executable and coerce a user into +executing it, and the new name contains word expansions (including +command substitution), bash will expand them in prompt strings containing +the \h or \H and \s escape sequences, respectively. + +Patch (apply with `patch -p0') + +CVE: CVE-2016-0634 +Upstream-Status: Backport +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> + +*** ../bash-4.3-patched/parse.y 2015-08-13 15:11:54.000000000 -0400 +--- parse.y 2016-03-07 15:44:14.000000000 -0500 +*************** +*** 5259,5263 **** + int result_size, result_index; + int c, n, i; +! char *temp, octal_string[4]; + struct tm *tm; + time_t the_time; +--- 5259,5263 ---- + int result_size, result_index; + int c, n, i; +! char *temp, *t_host, octal_string[4]; + struct tm *tm; + time_t the_time; +*************** +*** 5407,5411 **** + case 's': + temp = base_pathname (shell_name); +! temp = savestring (temp); + goto add_string; + +--- 5407,5415 ---- + case 's': + temp = base_pathname (shell_name); +! /* Try to quote anything the user can set in the file system */ +! if (promptvars || posixly_correct) +! temp = sh_backslash_quote_for_double_quotes (temp); +! else +! temp = savestring (temp); + goto add_string; + +*************** +*** 5497,5503 **** + case 'h': + case 'H': +! temp = savestring (current_host_name); +! if (c == 'h' && (t = (char *)strchr (temp, '.'))) + *t = '\0'; + goto add_string; + +--- 5501,5515 ---- + case 'h': + case 'H': +! t_host = savestring (current_host_name); +! if (c == 'h' && (t = (char *)strchr (t_host, '.'))) + *t = '\0'; ++ if (promptvars || posixly_correct) ++ /* Make sure that expand_prompt_string is called with a ++ second argument of Q_DOUBLE_QUOTES if we use this ++ function here. */ ++ temp = sh_backslash_quote_for_double_quotes (t_host); ++ else ++ temp = savestring (t_host); ++ free (t_host); + goto add_string; + +*** ../bash-4.3-patched/y.tab.c 2015-08-13 15:11:54.000000000 -0400 +--- y.tab.c 2016-03-07 15:44:14.000000000 -0500 +*************** +*** 7571,7575 **** + int result_size, result_index; + int c, n, i; +! char *temp, octal_string[4]; + struct tm *tm; + time_t the_time; +--- 7571,7575 ---- + int result_size, result_index; + int c, n, i; +! char *temp, *t_host, octal_string[4]; + struct tm *tm; + time_t the_time; +*************** +*** 7719,7723 **** + case 's': + temp = base_pathname (shell_name); +! temp = savestring (temp); + goto add_string; + +--- 7719,7727 ---- + case 's': + temp = base_pathname (shell_name); +! /* Try to quote anything the user can set in the file system */ +! if (promptvars || posixly_correct) +! temp = sh_backslash_quote_for_double_quotes (temp); +! else +! temp = savestring (temp); + goto add_string; + +*************** +*** 7809,7815 **** + case 'h': + case 'H': +! temp = savestring (current_host_name); +! if (c == 'h' && (t = (char *)strchr (temp, '.'))) + *t = '\0'; + goto add_string; + +--- 7813,7827 ---- + case 'h': + case 'H': +! t_host = savestring (current_host_name); +! if (c == 'h' && (t = (char *)strchr (t_host, '.'))) + *t = '\0'; ++ if (promptvars || posixly_correct) ++ /* Make sure that expand_prompt_string is called with a ++ second argument of Q_DOUBLE_QUOTES if we use this ++ function here. */ ++ temp = sh_backslash_quote_for_double_quotes (t_host); ++ else ++ temp = savestring (t_host); ++ free (t_host); + goto add_string; + diff --git a/meta/recipes-extended/bash/bash_4.3.30.bb b/meta/recipes-extended/bash/bash_4.3.30.bb index 95ed3925c7..fcd6cafd7a 100644 --- a/meta/recipes-extended/bash/bash_4.3.30.bb +++ b/meta/recipes-extended/bash/bash_4.3.30.bb @@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \ file://fix-run-coproc-run-heredoc-run-execscript-run-test-f.patch \ file://run-ptest \ file://fix-run-builtins.patch \ + file://CVE-2016-0634.patch;striplevel=0 \ " SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447" |