From 32818a104ae99a5795d91a2960d48d433d542dee Mon Sep 17 00:00:00 2001 From: Catalin Popeanga Date: Thu, 9 Oct 2014 14:24:29 +0200 Subject: bash: Fix for CVE-2014-7186 and CVE-2014-7187 This is a followup patch to incomplete CVE-2014-6271 fix code execution via specially-crafted environment https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 (From OE-Core daisy rev: 153d1125659df9e5c09e35a58bd51be184cb13c1) Signed-off-by: Sona Sarmadi Signed-off-by: Paul Eggleton --- .../bash-3.2.48/cve-2014-7186_cve-2014-7187.patch | 99 ++++++++++++ .../bash-4.2/cve-2014-7186_cve-2014-7187.patch | 167 +++++++++++++++++++++ meta/recipes-extended/bash/bash_3.2.48.bb | 1 + meta/recipes-extended/bash/bash_4.2.bb | 1 + 4 files changed, 268 insertions(+) create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch create mode 100644 meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch new file mode 100644 index 0000000000..dcb8ea44c5 --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch @@ -0,0 +1,99 @@ +bash: Fix for CVE-2014-7186 and CVE-2014-7187 + +Upstream-Status: Backport {GNU Patch-ID: bash32-055} + +Downloaded from: http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-055 + +Author: Chet Ramey +Signed-off-by: Sona Sarmadi + + BASH PATCH REPORT + ================= + +Bash-Release: 3.2 +Patch-ID: bash32-055 + +Bug-Reported-by: Florian Weimer +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +There are two local buffer overflows in parse.y that can cause the shell +to dump core when given many here-documents attached to a single command +or many nested loops. +--- +--- a/parse.y 2014-09-27 12:17:16.000000000 -0400 ++++ b/parse.y 2014-09-30 19:43:22.000000000 -0400 +@@ -166,4 +166,7 @@ + static int reserved_word_acceptable __P((int)); + static int yylex __P((void)); ++ ++static void push_heredoc __P((REDIRECT *)); ++static char *mk_alexpansion __P((char *)); + static int alias_expand_token __P((char *)); + static int time_command_acceptable __P((void)); +@@ -254,5 +257,7 @@ + /* Variables to manage the task of reading here documents, because we need to + defer the reading until after a complete command has been collected. */ +-static REDIRECT *redir_stack[10]; ++#define HEREDOC_MAX 16 ++ ++static REDIRECT *redir_stack[HEREDOC_MAX]; + int need_here_doc; + +@@ -280,5 +285,5 @@ + index is decremented after a case, select, or for command is parsed. */ + #define MAX_CASE_NEST 128 +-static int word_lineno[MAX_CASE_NEST]; ++static int word_lineno[MAX_CASE_NEST+1]; + static int word_top = -1; + +@@ -425,5 +430,5 @@ + redir.filename = $2; + $$ = make_redirection (0, r_reading_until, redir); +- redir_stack[need_here_doc++] = $$; ++ push_heredoc ($$); + } + | NUMBER LESS_LESS WORD +@@ -431,5 +436,5 @@ + redir.filename = $3; + $$ = make_redirection ($1, r_reading_until, redir); +- redir_stack[need_here_doc++] = $$; ++ push_heredoc ($$); + } + | LESS_LESS_LESS WORD +@@ -488,5 +493,5 @@ + $$ = make_redirection + (0, r_deblank_reading_until, redir); +- redir_stack[need_here_doc++] = $$; ++ push_heredoc ($$); + } + | NUMBER LESS_LESS_MINUS WORD +@@ -495,5 +500,5 @@ + $$ = make_redirection + ($1, r_deblank_reading_until, redir); +- redir_stack[need_here_doc++] = $$; ++ push_heredoc ($$); + } + | GREATER_AND '-' +@@ -2214,4 +2219,19 @@ + static int esacs_needed_count; + ++static void ++push_heredoc (r) ++ REDIRECT *r; ++{ ++ if (need_here_doc >= HEREDOC_MAX) ++ { ++ last_command_exit_value = EX_BADUSAGE; ++ need_here_doc = 0; ++ report_syntax_error (_("maximum here-document count exceeded")); ++ reset_parser (); ++ exit_shell (last_command_exit_value); ++ } ++ redir_stack[need_here_doc++] = r; ++} ++ + void + gather_here_documents () diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch new file mode 100644 index 0000000000..b51ce5f444 --- /dev/null +++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch @@ -0,0 +1,167 @@ +bash: Fix for CVE-2014-7186 and CVE-2014-7187 + +Upstream-Status: Backport {GNU Patch-ID: bash42-051} + +Downloaded from: http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-051 + +Author: Chet Ramey +Signed-off-by: Paul Eggleton + + BASH PATCH REPORT + ================= + +Bash-Release: 4.2 +Patch-ID: bash42-051 + +Bug-Reported-by: Florian Weimer +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +There are two local buffer overflows in parse.y that can cause the shell +to dump core when given many here-documents attached to a single command +or many nested loops. + +Patch (apply with `patch -p0'): + +*** ../bash-4.2.50/parse.y 2014-09-27 12:18:53.000000000 -0400 +--- parse.y 2014-09-30 19:24:19.000000000 -0400 +*************** +*** 168,171 **** +--- 168,174 ---- + static int reserved_word_acceptable __P((int)); + static int yylex __P((void)); ++ ++ static void push_heredoc __P((REDIRECT *)); ++ static char *mk_alexpansion __P((char *)); + static int alias_expand_token __P((char *)); + static int time_command_acceptable __P((void)); +*************** +*** 265,269 **** + /* Variables to manage the task of reading here documents, because we need to + defer the reading until after a complete command has been collected. */ +! static REDIRECT *redir_stack[10]; + int need_here_doc; + +--- 268,274 ---- + /* Variables to manage the task of reading here documents, because we need to + defer the reading until after a complete command has been collected. */ +! #define HEREDOC_MAX 16 +! +! static REDIRECT *redir_stack[HEREDOC_MAX]; + int need_here_doc; + +*************** +*** 307,311 **** + index is decremented after a case, select, or for command is parsed. */ + #define MAX_CASE_NEST 128 +! static int word_lineno[MAX_CASE_NEST]; + static int word_top = -1; + +--- 312,316 ---- + index is decremented after a case, select, or for command is parsed. */ + #define MAX_CASE_NEST 128 +! static int word_lineno[MAX_CASE_NEST+1]; + static int word_top = -1; + +*************** +*** 520,524 **** + redir.filename = $2; + $$ = make_redirection (source, r_reading_until, redir, 0); +! redir_stack[need_here_doc++] = $$; + } + | NUMBER LESS_LESS WORD +--- 525,529 ---- + redir.filename = $2; + $$ = make_redirection (source, r_reading_until, redir, 0); +! push_heredoc ($$); + } + | NUMBER LESS_LESS WORD +*************** +*** 527,531 **** + redir.filename = $3; + $$ = make_redirection (source, r_reading_until, redir, 0); +! redir_stack[need_here_doc++] = $$; + } + | REDIR_WORD LESS_LESS WORD +--- 532,536 ---- + redir.filename = $3; + $$ = make_redirection (source, r_reading_until, redir, 0); +! push_heredoc ($$); + } + | REDIR_WORD LESS_LESS WORD +*************** +*** 534,538 **** + redir.filename = $3; + $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); +! redir_stack[need_here_doc++] = $$; + } + | LESS_LESS_MINUS WORD +--- 539,543 ---- + redir.filename = $3; + $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); +! push_heredoc ($$); + } + | LESS_LESS_MINUS WORD +*************** +*** 541,545 **** + redir.filename = $2; + $$ = make_redirection (source, r_deblank_reading_until, redir, 0); +! redir_stack[need_here_doc++] = $$; + } + | NUMBER LESS_LESS_MINUS WORD +--- 546,550 ---- + redir.filename = $2; + $$ = make_redirection (source, r_deblank_reading_until, redir, 0); +! push_heredoc ($$); + } + | NUMBER LESS_LESS_MINUS WORD +*************** +*** 548,552 **** + redir.filename = $3; + $$ = make_redirection (source, r_deblank_reading_until, redir, 0); +! redir_stack[need_here_doc++] = $$; + } + | REDIR_WORD LESS_LESS_MINUS WORD +--- 553,557 ---- + redir.filename = $3; + $$ = make_redirection (source, r_deblank_reading_until, redir, 0); +! push_heredoc ($$); + } + | REDIR_WORD LESS_LESS_MINUS WORD +*************** +*** 555,559 **** + redir.filename = $3; + $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); +! redir_stack[need_here_doc++] = $$; + } + | LESS_LESS_LESS WORD +--- 560,564 ---- + redir.filename = $3; + $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); +! push_heredoc ($$); + } + | LESS_LESS_LESS WORD +*************** +*** 2534,2537 **** +--- 2539,2557 ---- + static int esacs_needed_count; + ++ static void ++ push_heredoc (r) ++ REDIRECT *r; ++ { ++ if (need_here_doc >= HEREDOC_MAX) ++ { ++ last_command_exit_value = EX_BADUSAGE; ++ need_here_doc = 0; ++ report_syntax_error (_("maximum here-document count exceeded")); ++ reset_parser (); ++ exit_shell (last_command_exit_value); ++ } ++ redir_stack[need_here_doc++] = r; ++ } ++ + void + gather_here_documents () diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb index 1e6e3f3a28..f50bc636af 100644 --- a/meta/recipes-extended/bash/bash_3.2.48.bb +++ b/meta/recipes-extended/bash/bash_3.2.48.bb @@ -13,6 +13,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \ file://cve-2014-6271.patch;striplevel=0 \ file://cve-2014-7169.patch \ file://Fix-for-bash-exported-function-namespace-change.patch \ + file://cve-2014-7186_cve-2014-7187.patch \ " SRC_URI[tarball.md5sum] = "338dcf975a93640bb3eaa843ca42e3f8" diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb index 515bdc99f0..4ac0673a8c 100644 --- a/meta/recipes-extended/bash/bash_4.2.bb +++ b/meta/recipes-extended/bash/bash_4.2.bb @@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \ file://build-tests.patch \ file://test-output.patch \ file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \ + file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \ file://run-ptest \ " -- cgit 1.2.3-korg