diff --git a/bash-4.2-cve-2014-6271.patch b/bash-4.2-cve-2014-6271.patch deleted file mode 100644 index 54e2b89..0000000 --- a/bash-4.2-cve-2014-6271.patch +++ /dev/null @@ -1,72 +0,0 @@ -*** ../bash-4.2.47/builtins/common.h 2010-05-30 18:31:51.000000000 -0400 ---- builtins/common.h 2014-09-16 19:35:45.000000000 -0400 -*************** -*** 36,39 **** ---- 36,41 ---- - - /* Flags for describe_command, shared between type.def and command.def */ -+ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ -+ #define SEVAL_ONECMD 0x100 /* only allow a single command */ - #define CDESC_ALL 0x001 /* type -a */ - #define CDESC_SHORTDESC 0x002 /* command -V */ -*** ../bash-4.2.47/builtins/evalstring.c 2010-11-23 08:22:15.000000000 -0500 ---- builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400 -*************** -*** 262,265 **** ---- 262,273 ---- - struct fd_bitmap *bitmap; - -+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) -+ { -+ internal_warning ("%s: ignoring function definition attempt", from_file); -+ should_jump_to_top_level = 0; -+ last_result = last_command_exit_value = EX_BADUSAGE; -+ break; -+ } -+ - bitmap = new_fd_bitmap (FD_BITMAP_SIZE); - begin_unwind_frame ("pe_dispose"); -*************** -*** 322,325 **** ---- 330,336 ---- - dispose_fd_bitmap (bitmap); - discard_unwind_frame ("pe_dispose"); -+ -+ if (flags & SEVAL_ONECMD) -+ break; - } - } -*** ../bash-4.2.47/variables.c 2011-03-01 16:15:20.000000000 -0500 ---- variables.c 2014-09-16 19:35:45.000000000 -0400 -*************** -*** 348,357 **** - strcpy (temp_string + char_index + 1, string); - -! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); -! -! /* Ancient backwards compatibility. Old versions of bash exported -! functions like name()=() {...} */ -! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') -! name[char_index - 2] = '\0'; - - if (temp_var = find_function (name)) ---- 348,355 ---- - strcpy (temp_string + char_index + 1, string); - -! /* Don't import function names that are invalid identifiers from the -! environment. */ -! if (legal_identifier (name)) -! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); - - if (temp_var = find_function (name)) -*************** -*** 362,369 **** - else - report_error (_("error importing function definition for `%s'"), name); -- -- /* ( */ -- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') -- name[char_index - 2] = '('; /* ) */ - } - #if defined (ARRAY_VARS) ---- 360,363 ---- diff --git a/bash.spec b/bash.spec index b535e2c..958fcc5 100644 --- a/bash.spec +++ b/bash.spec @@ -1,5 +1,5 @@ #% define beta_tag rc2 -%define patchleveltag .47 +%define patchleveltag .48 %define baseversion 4.2 %bcond_without tests %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -7,7 +7,7 @@ Version: %{baseversion}%{patchleveltag} Name: bash Summary: The GNU Bourne Again shell -Release: 4%{?dist} +Release: 1%{?dist} Group: System Environment/Shells License: GPLv3+ Url: http://www.gnu.org/software/bash @@ -68,6 +68,7 @@ Patch044: ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-044 Patch045: ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-045 Patch046: ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-046 Patch047: ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-047 +Patch048: ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048 # Other patches Patch101: bash-2.02-security.patch @@ -124,9 +125,6 @@ Patch127: bash-4.2-trap.patch # 1112710 - mention ulimit -c and -f POSIX block size Patch128: bash-4.2-man-ulimit.patch -# CVE-2014-6271 -Patch129: bash-4.2-cve-2014-6271.patch - BuildRequires: texinfo bison BuildRequires: ncurses-devel BuildRequires: autoconf, gettext @@ -200,6 +198,7 @@ This package contains documentation files for %{name}. %patch045 -p0 -b .045 %patch046 -p0 -b .046 %patch047 -p0 -b .047 +%patch048 -p0 -b .048 # Other patches %patch101 -p1 -b .security @@ -229,7 +228,6 @@ This package contains documentation files for %{name}. %patch125 -p1 -b .size_type %patch126 -p1 -b .missing_closes %patch128 -p1 -b .ulimit -%patch129 -p0 -b .6271 echo %{version} > _distribution echo %{release} > _patchlevel @@ -422,6 +420,9 @@ end #%doc doc/*.ps doc/*.0 doc/*.html doc/article.txt %changelog +* Thu Sep 25 2014 Ondrej Oprala +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +Under certain circumstances, bash will execute user code while processing the +environment for exported function definitions. + +Patch (apply with `patch -p0'): + +*** ../bash-4.2.47/builtins/common.h 2010-05-30 18:31:51.000000000 -0400 +--- builtins/common.h 2014-09-16 19:35:45.000000000 -0400 +*************** +*** 36,39 **** +--- 36,41 ---- + + /* Flags for describe_command, shared between type.def and command.def */ ++ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ ++ #define SEVAL_ONECMD 0x100 /* only allow a single command */ + #define CDESC_ALL 0x001 /* type -a */ + #define CDESC_SHORTDESC 0x002 /* command -V */ +*** ../bash-4.2.47/builtins/evalstring.c 2010-11-23 08:22:15.000000000 -0500 +--- builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400 +*************** +*** 262,265 **** +--- 262,273 ---- + struct fd_bitmap *bitmap; + ++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) ++ { ++ internal_warning ("%s: ignoring function definition attempt", from_file); ++ should_jump_to_top_level = 0; ++ last_result = last_command_exit_value = EX_BADUSAGE; ++ break; ++ } ++ + bitmap = new_fd_bitmap (FD_BITMAP_SIZE); + begin_unwind_frame ("pe_dispose"); +*************** +*** 322,325 **** +--- 330,336 ---- + dispose_fd_bitmap (bitmap); + discard_unwind_frame ("pe_dispose"); ++ ++ if (flags & SEVAL_ONECMD) ++ break; + } + } +*** ../bash-4.2.47/variables.c 2011-03-01 16:15:20.000000000 -0500 +--- variables.c 2014-09-16 19:35:45.000000000 -0400 +*************** +*** 348,357 **** + strcpy (temp_string + char_index + 1, string); + +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); +! +! /* Ancient backwards compatibility. Old versions of bash exported +! functions like name()=() {...} */ +! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') +! name[char_index - 2] = '\0'; + + if (temp_var = find_function (name)) +--- 348,355 ---- + strcpy (temp_string + char_index + 1, string); + +! /* Don't import function names that are invalid identifiers from the +! environment. */ +! if (legal_identifier (name)) +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + + if (temp_var = find_function (name)) +*************** +*** 362,369 **** + else + report_error (_("error importing function definition for `%s'"), name); +- +- /* ( */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') +- name[char_index - 2] = '('; /* ) */ + } + #if defined (ARRAY_VARS) +--- 360,363 ---- +*** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010 +--- patchlevel.h Thu Feb 24 21:41:34 2011 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 47 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 48 + + #endif /* _PATCHLEVEL_H_ */