From ba0960bae8c01b16d415fc23d614f2e06043931d Mon Sep 17 00:00:00 2001 From: "Tom G. Christensen" Date: Sun, 28 Sep 2014 10:46:10 +0200 Subject: [PATCH] bash: update to 4.3.27 --- bash/build.sh | 6 +- bash/meta/ChangeLog | 5 +- bash/src/bash-4.2-cve-2014-7169-1.patch | 155 ----------------- bash/src/bash43-027.edited | 221 ++++++++++++++++++++++++ 4 files changed, 229 insertions(+), 158 deletions(-) delete mode 100644 bash/src/bash-4.2-cve-2014-7169-1.patch create mode 100644 bash/src/bash43-027.edited diff --git a/bash/build.sh b/bash/build.sh index 90efac9..67b81d6 100755 --- a/bash/build.sh +++ b/bash/build.sh @@ -7,7 +7,7 @@ # Check the following 4 variables before running the script topdir=bash real_version=4.3 -version=4.3.26 +version=4.3.27 pkgver=1 source[0]=ftp://ftp.sunet.se/pub/gnu/bash/$topdir-$real_version.tar.gz @@ -43,7 +43,7 @@ patch[22]=bash43-023.edited patch[23]=bash43-024.edited patch[24]=bash43-025.edited patch[25]=bash43-026.edited -patch[26]=bash-4.2-cve-2014-7169-1.patch +patch[26]=bash43-027.edited patch[27]=bash-4.2-cve-2014-7169-2.patch # Global settings @@ -79,6 +79,8 @@ install() compat bash 3.2.39 1 1 compat bash 4.2.42 1 1 compat bash 4.2.45 1 1 + compat bash 4.3.25 1 1 + compat bash 4.3.26 1 1 } reg pack diff --git a/bash/meta/ChangeLog b/bash/meta/ChangeLog index ad05df1..719282a 100644 --- a/bash/meta/ChangeLog +++ b/bash/meta/ChangeLog @@ -1,8 +1,11 @@ CHANGELOG --------- +* Sun Sep 28 2014 Tom G. Christensen - 4.3.27-1 +- Update to 4.3.27 (replaces a RedHat patch with identical from upstream) + * Sat Sep 27 2014 Tom G. Christensen - 4.3.26-1 - Update to 4.3.26 to fix CVE-2014-7169 -- Add patches from RedHat that provides more hardening against ShellShock +- Add patches from RedHat that provides more hardening against Shellshock and also fixes CVE-2014-7186 * Thu Sep 25 2014 Tom G. Christensen - 4.3.25-1 diff --git a/bash/src/bash-4.2-cve-2014-7169-1.patch b/bash/src/bash-4.2-cve-2014-7169-1.patch deleted file mode 100644 index 2e36c22..0000000 --- a/bash/src/bash-4.2-cve-2014-7169-1.patch +++ /dev/null @@ -1,155 +0,0 @@ ---- variables.c 2014-09-25 13:07:59.313209541 +0200 -+++ variables.c 2014-09-25 13:15:29.869420719 +0200 -@@ -268,7 +268,7 @@ - static void propagate_temp_var __P((PTR_T)); - static void dispose_temporary_env __P((sh_free_func_t *)); - --static inline char *mk_env_string __P((const char *, const char *)); -+static inline char *mk_env_string __P((const char *, const char *, int)); - static char **make_env_array_from_var_list __P((SHELL_VAR **)); - static char **make_var_export_array __P((VAR_CONTEXT *)); - static char **make_func_export_array __P((void)); -@@ -301,6 +301,14 @@ - #endif - } - -+/* Prefix and suffix for environment variable names which contain -+ shell functions. */ -+#define FUNCDEF_PREFIX "BASH_FUNC_" -+#define FUNCDEF_PREFIX_LEN (strlen (FUNCDEF_PREFIX)) -+#define FUNCDEF_SUFFIX "()" -+#define FUNCDEF_SUFFIX_LEN (strlen (FUNCDEF_SUFFIX)) -+ -+ - /* Initialize the shell variables from the current environment. - If PRIVMODE is nonzero, don't import functions from ENV or - parse $SHELLOPTS. */ -@@ -338,36 +346,48 @@ - - /* If exported function, define it now. Don't import functions from - the environment in privileged mode. */ -- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4)) -- { -- string_length = strlen (string); -- temp_string = (char *)xmalloc (3 + string_length + char_index); -+ if (privmode == 0 && read_but_dont_execute == 0 -+ && STREQN (FUNCDEF_PREFIX, name, FUNCDEF_PREFIX_LEN) -+ && STREQ (name + char_index - FUNCDEF_SUFFIX_LEN, FUNCDEF_SUFFIX) -+ && STREQN ("() {", string, 4)) -+ { -+ size_t name_length -+ = char_index - (FUNCDEF_PREFIX_LEN + FUNCDEF_SUFFIX_LEN); -+ char *temp_name = name + FUNCDEF_PREFIX_LEN; -+ /* Temporarily remove the suffix. */ -+ temp_name[name_length] = '\0'; - -- strcpy (temp_string, name); -- temp_string[char_index] = ' '; -- strcpy (temp_string + char_index + 1, string); -+ string_length = strlen (string); -+ temp_string = (char *)xmalloc (name_length + 1 + string_length + 1); -+ memcpy (temp_string, temp_name, name_length); -+ temp_string[name_length] = ' '; -+ memcpy (temp_string + name_length + 1, string, string_length + 1); - - /* Don't import function names that are invalid identifiers from the - environment, though we still allow them to be defined as shell - variables. */ -- if (legal_identifier (name)) -- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); -+ if (legal_identifier (temp_name)) -+ parse_and_execute (temp_string, temp_name, -+ SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); - -- if (temp_var = find_function (name)) -+ if (temp_var = find_function (temp_name)) - { - VSETATTR (temp_var, (att_exported|att_imported)); - array_needs_making = 1; - } - else - { - if (temp_var = bind_variable (name, string, 0)) - { - VSETATTR (temp_var, (att_exported | att_imported | att_invisible)); - array_needs_making = 1; - } - last_command_exit_value = 1; - report_error (_("error importing function definition for `%s'"), name); - } -+ -+ /* Restore the original suffix. */ -+ temp_name[name_length] = FUNCDEF_SUFFIX[0]; - } - #if defined (ARRAY_VARS) - # if ARRAY_EXPORT -@@ -2537,7 +2557,7 @@ - var->context = variable_context; /* XXX */ - - INVALIDATE_EXPORTSTR (var); -- var->exportstr = mk_env_string (name, value); -+ var->exportstr = mk_env_string (name, value, 0); - - array_needs_making = 1; - -@@ -3388,22 +3408,43 @@ - /* */ - /* **************************************************************** */ - -+/* Returns the string NAME=VALUE if !FUNCTIONP or if VALUE == NULL (in -+ which case it is treated as empty). Otherwise, decorate NAME with -+ FUNCDEF_PREFIX and FUNCDEF_SUFFIX, and return a string of the form -+ FUNCDEF_PREFIX NAME FUNCDEF_SUFFIX = VALUE (without spaces). */ - static inline char * --mk_env_string (name, value) -+mk_env_string (name, value, functionp) - const char *name, *value; -+ int functionp; - { -- int name_len, value_len; -- char *p; -+ size_t name_len, value_len; -+ char *p, *q; - - name_len = strlen (name); - value_len = STRLEN (value); -- p = (char *)xmalloc (2 + name_len + value_len); -- strcpy (p, name); -- p[name_len] = '='; -+ if (functionp && value != NULL) -+ { -+ p = (char *)xmalloc (FUNCDEF_PREFIX_LEN + name_len + FUNCDEF_SUFFIX_LEN -+ + 1 + value_len + 1); -+ q = p; -+ memcpy (q, FUNCDEF_PREFIX, FUNCDEF_PREFIX_LEN); -+ q += FUNCDEF_PREFIX_LEN; -+ memcpy (q, name, name_len); -+ q += name_len; -+ memcpy (q, FUNCDEF_SUFFIX, FUNCDEF_SUFFIX_LEN); -+ q += FUNCDEF_SUFFIX_LEN; -+ } -+ else -+ { -+ p = (char *)xmalloc (name_len + 1 + value_len + 1); -+ memcpy (p, name, name_len); -+ q = p + name_len; -+ } -+ q[0] = '='; - if (value && *value) -- strcpy (p + name_len + 1, value); -+ memcpy (q + 1, value, value_len + 1); - else -- p[name_len + 1] = '\0'; -+ q[1] = '\0'; - return (p); - } - -@@ -3489,7 +3530,7 @@ - /* Gee, I'd like to get away with not using savestring() if we're - using the cached exportstr... */ - list[list_index] = USE_EXPORTSTR ? savestring (value) -- : mk_env_string (var->name, value); -+ : mk_env_string (var->name, value, function_p (var)); - - if (USE_EXPORTSTR == 0) - SAVE_EXPORTSTR (var, list[list_index]); diff --git a/bash/src/bash43-027.edited b/bash/src/bash43-027.edited new file mode 100644 index 0000000..c6b7321 --- /dev/null +++ b/bash/src/bash43-027.edited @@ -0,0 +1,221 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.3 +Patch-ID: bash43-027 + +Bug-Reported-by: Florian Weimer +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +This patch changes the encoding bash uses for exported functions to avoid +clashes with shell variables and to avoid depending only on an environment +variable's contents to determine whether or not to interpret it as a shell +function. + +Patch (apply with `patch -p0'): + +*** ../bash-4.3.26/variables.c 2014-09-25 23:02:18.000000000 -0400 +--- variables.c 2014-09-27 20:52:04.000000000 -0400 +*************** +*** 84,87 **** +--- 84,92 ---- + #define ifsname(s) ((s)[0] == 'I' && (s)[1] == 'F' && (s)[2] == 'S' && (s)[3] == '\0') + ++ #define BASHFUNC_PREFIX "BASH_FUNC_" ++ #define BASHFUNC_PREFLEN 10 /* == strlen(BASHFUNC_PREFIX */ ++ #define BASHFUNC_SUFFIX "%%" ++ #define BASHFUNC_SUFFLEN 2 /* == strlen(BASHFUNC_SUFFIX) */ ++ + extern char **environ; + +*************** +*** 280,284 **** + static void dispose_temporary_env __P((sh_free_func_t *)); + +! static inline char *mk_env_string __P((const char *, const char *)); + static char **make_env_array_from_var_list __P((SHELL_VAR **)); + static char **make_var_export_array __P((VAR_CONTEXT *)); +--- 285,289 ---- + static void dispose_temporary_env __P((sh_free_func_t *)); + +! static inline char *mk_env_string __P((const char *, const char *, int)); + static char **make_env_array_from_var_list __P((SHELL_VAR **)); + static char **make_var_export_array __P((VAR_CONTEXT *)); +*************** +*** 350,369 **** + /* If exported function, define it now. Don't import functions from + the environment in privileged mode. */ +! if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4)) + { + string_length = strlen (string); +! temp_string = (char *)xmalloc (3 + string_length + char_index); + +! strcpy (temp_string, name); +! temp_string[char_index] = ' '; +! strcpy (temp_string + char_index + 1, string); + + /* Don't import function names that are invalid identifiers from the + environment, though we still allow them to be defined as shell + variables. */ +! if (legal_identifier (name)) +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + +! if (temp_var = find_function (name)) + { + VSETATTR (temp_var, (att_exported|att_imported)); +--- 355,385 ---- + /* If exported function, define it now. Don't import functions from + the environment in privileged mode. */ +! if (privmode == 0 && read_but_dont_execute == 0 && +! STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) && +! STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) && +! STREQN ("() {", string, 4)) + { ++ size_t namelen; ++ char *tname; /* desired imported function name */ ++ ++ namelen = char_index - BASHFUNC_PREFLEN - BASHFUNC_SUFFLEN; ++ ++ tname = name + BASHFUNC_PREFLEN; /* start of func name */ ++ tname[namelen] = '\0'; /* now tname == func name */ ++ + string_length = strlen (string); +! temp_string = (char *)xmalloc (namelen + string_length + 2); + +! memcpy (temp_string, tname, namelen); +! temp_string[namelen] = ' '; +! memcpy (temp_string + namelen + 1, string, string_length + 1); + + /* Don't import function names that are invalid identifiers from the + environment, though we still allow them to be defined as shell + variables. */ +! if (absolute_program (tname) == 0 && (posixly_correct == 0 || legal_identifier (tname))) +! parse_and_execute (temp_string, tname, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + +! if (temp_var = find_function (tname)) + { + VSETATTR (temp_var, (att_exported|att_imported)); +*************** +*** 378,383 **** + } + last_command_exit_value = 1; +! report_error (_("error importing function definition for `%s'"), name); + } + } + #if defined (ARRAY_VARS) +--- 394,402 ---- + } + last_command_exit_value = 1; +! report_error (_("error importing function definition for `%s'"), tname); + } ++ ++ /* Restore original suffix */ ++ tname[namelen] = BASHFUNC_SUFFIX[0]; + } + #if defined (ARRAY_VARS) +*************** +*** 2955,2959 **** + + INVALIDATE_EXPORTSTR (var); +! var->exportstr = mk_env_string (name, value); + + array_needs_making = 1; +--- 2974,2978 ---- + + INVALIDATE_EXPORTSTR (var); +! var->exportstr = mk_env_string (name, value, 0); + + array_needs_making = 1; +*************** +*** 3853,3871 **** + + static inline char * +! mk_env_string (name, value) + const char *name, *value; + { +! int name_len, value_len; +! char *p; + + name_len = strlen (name); + value_len = STRLEN (value); +! p = (char *)xmalloc (2 + name_len + value_len); +! strcpy (p, name); +! p[name_len] = '='; + if (value && *value) +! strcpy (p + name_len + 1, value); + else +! p[name_len + 1] = '\0'; + return (p); + } +--- 3872,3911 ---- + + static inline char * +! mk_env_string (name, value, isfunc) + const char *name, *value; ++ int isfunc; + { +! size_t name_len, value_len; +! char *p, *q; + + name_len = strlen (name); + value_len = STRLEN (value); +! +! /* If we are exporting a shell function, construct the encoded function +! name. */ +! if (isfunc && value) +! { +! p = (char *)xmalloc (BASHFUNC_PREFLEN + name_len + BASHFUNC_SUFFLEN + value_len + 2); +! q = p; +! memcpy (q, BASHFUNC_PREFIX, BASHFUNC_PREFLEN); +! q += BASHFUNC_PREFLEN; +! memcpy (q, name, name_len); +! q += name_len; +! memcpy (q, BASHFUNC_SUFFIX, BASHFUNC_SUFFLEN); +! q += BASHFUNC_SUFFLEN; +! } +! else +! { +! p = (char *)xmalloc (2 + name_len + value_len); +! memcpy (p, name, name_len); +! q = p + name_len; +! } +! +! q[0] = '='; + if (value && *value) +! memcpy (q + 1, value, value_len + 1); + else +! q[1] = '\0'; +! + return (p); + } +*************** +*** 3953,3957 **** + using the cached exportstr... */ + list[list_index] = USE_EXPORTSTR ? savestring (value) +! : mk_env_string (var->name, value); + + if (USE_EXPORTSTR == 0) +--- 3993,3997 ---- + using the cached exportstr... */ + list[list_index] = USE_EXPORTSTR ? savestring (value) +! : mk_env_string (var->name, value, function_p (var)); + + if (USE_EXPORTSTR == 0) +*** patchlevel.h 2012-12-29 10:47:57.000000000 -0500 +--- patchlevel.h 2014-03-20 20:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 26 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 27 + + #endif /* _PATCHLEVEL_H_ */