[PATCH] bash: update to latest (025) patchset (fixes CVE-2014-6271)

[PATCH] bash: update to latest (025) patchset (fixes CVE-2014-6271)

[Francesco Del Degan]

Updated to reflect the latest patchset in bash 4.3.
Fixes the CVE-2014-6271.

Signed-off-by: Francesco Del Degan <f.deldegan@endian.com>
---
 meta/recipes-extended/bash/bash_4.3.bb | 75 ++++++++++++++++++++++++++++++++++
 1 file changed, 75 insertions(+)

diff --git a/meta/recipes-extended/bash/bash_4.3.bb b/meta/recipes-extended/bash/bash_4.3.bb
index 25b7410..2ff0c40 100644
--- a/meta/recipes-extended/bash/bash_4.3.bb
+++ b/meta/recipes-extended/bash/bash_4.3.bb
@@ -5,6 +5,31 @@ LICENSE = "GPLv3+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 
 SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-001;apply=yes;striplevel=0;name=patch001 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-002;apply=yes;striplevel=0;name=patch002 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-003;apply=yes;striplevel=0;name=patch003 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-004;apply=yes;striplevel=0;name=patch004 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-005;apply=yes;striplevel=0;name=patch005 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-006;apply=yes;striplevel=0;name=patch006 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-007;apply=yes;striplevel=0;name=patch007 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-008;apply=yes;striplevel=0;name=patch008 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-009;apply=yes;striplevel=0;name=patch009 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-010;apply=yes;striplevel=0;name=patch010 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-011;apply=yes;striplevel=0;name=patch011 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-012;apply=yes;striplevel=0;name=patch012 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-013;apply=yes;striplevel=0;name=patch013 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-014;apply=yes;striplevel=0;name=patch014 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-015;apply=yes;striplevel=0;name=patch015 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-016;apply=yes;striplevel=0;name=patch016 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-017;apply=yes;striplevel=0;name=patch017 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-018;apply=yes;striplevel=0;name=patch018 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-019;apply=yes;striplevel=0;name=patch019 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-020;apply=yes;striplevel=0;name=patch020 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-021;apply=yes;striplevel=0;name=patch021 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-022;apply=yes;striplevel=0;name=patch022 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-023;apply=yes;striplevel=0;name=patch023 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-024;apply=yes;striplevel=0;name=patch024 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-025;apply=yes;striplevel=0;name=patch025 \
            file://execute_cmd.patch;striplevel=0 \
            file://mkbuiltins_have_stringize.patch \
            file://build-tests.patch \
@@ -14,5 +39,55 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
 
 SRC_URI[tarball.md5sum] = "81348932d5da294953e15d4814c74dd1"
 SRC_URI[tarball.sha256sum] = "afc687a28e0e24dc21b988fa159ff9dbcf6b7caa92ade8645cc6d5605cd024d4"
+SRC_URI[patch001.md5sum] = "1ab682b4e36afa4cf1b426aa7ac81c0d"
+SRC_URI[patch001.sha256sum] = "ecb3dff2648667513e31554b3ad054ccd89fce38e33367c9459ac3a285153742"
+SRC_URI[patch002.md5sum] = "8fc22cf50ec85da00f6af3d66f7ddc1b"
+SRC_URI[patch002.sha256sum] = "eee7cd7062ab29a9e4f02924d9c367264dcb8b162703f74ff6eb8f175a91502b"
+SRC_URI[patch003.md5sum] = "a41728eca78858758e26b5dea64ae506"
+SRC_URI[patch003.sha256sum] = "000e6eac50cd9053ce0630db01239dcdead04a2c2c351c47e2b51dac1ac1087d"
+SRC_URI[patch004.md5sum] = "bf8d53d227829d67235927689a03cc7a"
+SRC_URI[patch004.sha256sum] = "5ea0a42c6506720d26e6d3c5c358e9a0d49f6f189d69a8ed34d5935964821338"
+SRC_URI[patch005.md5sum] = "c0c00935c8b8ffff76e8ab77e7be7d15"
+SRC_URI[patch005.sha256sum] = "1ac83044032b9f5f11aeca8a344ae3c524ec2156185d3adbb8ad3e7a165aa3fa"
+SRC_URI[patch006.md5sum] = "6f01e364cd092faa28dd7119f47ddb5f"
+SRC_URI[patch006.sha256sum] = "a0648ee72d15e4a90c8b77a5c6b19f8d89e28c1bc881657d22fe26825f040213"
+SRC_URI[patch007.md5sum] = "dcf471d222bcd83283d3094e6ceeb6f8"
+SRC_URI[patch007.sha256sum] = "1113e321c59cf6a8648a36245bbe4217cf8acf948d71e67886dad7d486f8f3a3"
+SRC_URI[patch008.md5sum] = "f7553416646dc26c266454c78a916d36"
+SRC_URI[patch008.sha256sum] = "9941a98a4987192cc5ce3d45afe879983cad2f0bec96d441a4edd9033767f95e"
+SRC_URI[patch009.md5sum] = "7e73d2151f4064b484a4ba2c4b09960e"
+SRC_URI[patch009.sha256sum] = "c0226d6728946b2f53cdebf090bcd1c01627f01fee03295768605caa80bb40a5"
+SRC_URI[patch010.md5sum] = "a275463d21735bb6d7161f9fbd320d8f"
+SRC_URI[patch010.sha256sum] = "ce05799c0137314c70c7b6ea0477c90e1ac1d52e113344be8e32fa5a55c9f0b7"
+SRC_URI[patch011.md5sum] = "c17103ee20420d77e46b224c8d3fceda"
+SRC_URI[patch011.sha256sum] = "7c63402cdbc004a210f6c1c527b63b13d8bb9ec9c5a43d5c464a9010ff6f7f3b"
+SRC_URI[patch012.md5sum] = "3e2a057a19d02b3f92a3a09eacbc03ae"
+SRC_URI[patch012.sha256sum] = "3e1379030b35fbcf314e9e7954538cf4b43be1507142b29efae39eef997b8c12"
+SRC_URI[patch013.md5sum] = "fb377143a996d4ff087a2771bc8332f9"
+SRC_URI[patch013.sha256sum] = "bfa8ca5336ab1f5ef988434a4bdedf71604aa8a3659636afa2ce7c7446c42c79"
+SRC_URI[patch014.md5sum] = "1a1aaecc99a9d0cbc310e8e247dcc8b6"
+SRC_URI[patch014.sha256sum] = "5a4d6fa2365b6eb725a9d4966248b5edf7630a4aeb3fa8d526b877972658ac13"
+SRC_URI[patch015.md5sum] = "4f04387458a3c1b4d460d199f49991a8"
+SRC_URI[patch015.sha256sum] = "13293e8a24e003a44d7fe928c6b1e07b444511bed2d9406407e006df28355e8d"
+SRC_URI[patch016.md5sum] = "90e759709720c4f877525bebc9d5dc06"
+SRC_URI[patch016.sha256sum] = "92d60bcf49f61bd7f1ccb9602bead6f2c9946d79dea0e5ec0589bb3bfa5e0773"
+SRC_URI[patch017.md5sum] = "11e4046e1b86070f6adbb7ffc89641be"
+SRC_URI[patch017.sha256sum] = "1267c25c6b5ba57042a7bb6c569a6de02ffd0d29530489a16666c3b8a23e7780"
+SRC_URI[patch018.md5sum] = "cd5a9b46f5bea0dc0248c93c7dfac011"
+SRC_URI[patch018.sha256sum] = "7aa8b40a9e973931719d8cc72284a8fb3292b71b522db57a5a79052f021a3d58"
+SRC_URI[patch019.md5sum] = "cff4dc024d9d3456888aaaf8a36ca774"
+SRC_URI[patch019.sha256sum] = "a7a91475228015d676cafa86d2d7aa9c5d2139aa51485b6bbdebfdfbcf0d2d23"
+SRC_URI[patch020.md5sum] = "167839c5f147347f4a03d88ab97ff787"
+SRC_URI[patch020.sha256sum] = "ca5e86d87f178128641fe91f2f094875b8c1eb2de9e0d2e9154f5d5cc0336c98"
+SRC_URI[patch021.md5sum] = "1d350671c48dec30b34d8b81f09cd79d"
+SRC_URI[patch021.sha256sum] = "41439f06883e6bd11c591d9d5e9ae08afbc2abd4b935e1d244b08100076520a9"
+SRC_URI[patch022.md5sum] = "11c349af66a55481a3215ef2520bec36"
+SRC_URI[patch022.sha256sum] = "fd4d47bb95c65863f634c4706c65e1e3bae4ee8460c72045c0a0618689061a88"
+SRC_URI[patch023.md5sum] = "b3cb0d80fd0c47728264405cbb3b23c7"
+SRC_URI[patch023.sha256sum] = "9ac250c7397a8f53dbc84dfe790d2a418fbf1fe090bcece39b4a5c84a2d300d4"
+SRC_URI[patch024.md5sum] = "b5ea5600942acceb4b6f07313d2de74e"
+SRC_URI[patch024.sha256sum] = "3b505882a0a6090667d75824fc919524cd44cc3bd89dd08b7c4e622d3f960f6c"
+SRC_URI[patch025.md5sum] = "193c06f578d38ffdbaebae9c51a7551f"
+SRC_URI[patch025.sha256sum] = "1e5186f5c4a619bb134a1177d9e9de879f3bb85d9c5726832b03a762a2499251"
 
 BBCLASSEXTEND = "nativesdk"
-- 
1.8.1.2

Re: [PATCH] bash: update to latest (025) patchset (fixes CVE-2014-6271)

[Burton, Ross]

Hu Francesco,

On 25 September 2014 11:35, Francesco Del Degan <f.deldegan@endian.com> wrote:
> Updated to reflect the latest patchset in bash 4.3.
> Fixes the CVE-2014-6271.

I'm hearing that this isn't a complete fix, so lets wait for more patches.

Is it possible to cherry-pick just the security fixes, instead of
every patch they've released?

Finally, patches for oe-core should go to openembedded-core@, not yocto@.

Ross

Re: [yocto] [PATCH] bash: update to latest (025) patchset (fixes CVE-2014-6271)

[Mark Hatle]

On 9/25/14, 5:40 PM, Burton, Ross wrote:
> Hu Francesco,
>
> On 25 September 2014 11:35, Francesco Del Degan <f.deldegan@endian.com> wrote:
>> Updated to reflect the latest patchset in bash 4.3.
>> Fixes the CVE-2014-6271.
>
> I'm hearing that this isn't a complete fix, so lets wait for more patches.
>
> Is it possible to cherry-pick just the security fixes, instead of
> every patch they've released?
>
> Finally, patches for oe-core should go to openembedded-core@, not yocto@.
>
> Ross
>

Patch 025 fixes CVE-2014-6271, but does NOT fix CVE-2014-7169 or possibly two 
other issues people are currently looking into.  (None of this is confidential 
BTW..  you can all follow along on the oss-security mailing list.)

So I would recommend that someone get the 025 patch (don't forget to patch bash 
3.2 as well) in.. and we should wait until their is an official one for 7169.

--Mark

Re: [PATCH] bash: update to latest (025) patchset (fixes CVE-2014-6271)

[Mark Hatle]

On 9/25/14, 5:40 PM, Burton, Ross wrote:
> Hu Francesco,
>
> On 25 September 2014 11:35, Francesco Del Degan <f.deldegan@endian.com> wrote:
>> Updated to reflect the latest patchset in bash 4.3.
>> Fixes the CVE-2014-6271.
>
> I'm hearing that this isn't a complete fix, so lets wait for more patches.
>
> Is it possible to cherry-pick just the security fixes, instead of
> every patch they've released?
>
> Finally, patches for oe-core should go to openembedded-core@, not yocto@.
>
> Ross
>

Patch 025 fixes CVE-2014-6271, but does NOT fix CVE-2014-7169 or possibly two 
other issues people are currently looking into.  (None of this is confidential 
BTW..  you can all follow along on the oss-security mailing list.)

So I would recommend that someone get the 025 patch (don't forget to patch bash 
3.2 as well) in.. and we should wait until their is an official one for 7169.

--Mark

Re: [yocto] [PATCH] bash: update to latest (025) patchset (fixes CVE-2014-6271)

[Burton, Ross]

On 25 September 2014 23:48, Mark Hatle <mark.hatle@windriver.com> wrote:
> So I would recommend that someone get the 025 patch (don't forget to patch
> bash 3.2 as well) in.. and we should wait until their is an official one for
> 7169.

Agreed, and patches sent.

Ross

Re: [OE-core] [PATCH] bash: update to latest (025) patchset (fixes CVE-2014-6271)

[Burton, Ross]

On 25 September 2014 23:48, Mark Hatle <mark.hatle@windriver.com> wrote:
> So I would recommend that someone get the 025 patch (don't forget to patch
> bash 3.2 as well) in.. and we should wait until their is an official one for
> 7169.

Agreed, and patches sent.

Ross

Re: [OE-core] [PATCH] bash: update to latest (025) patchset (fixes CVE-2014-6271)

[Francesco Del Degan]

[-- Attachment #1: Type: text/plain, Size: 999 bytes --]

Yes, patch 026 that fixes CVE-2014-7169 is underway, should be pushed out
today:

http://www.openwall.com/lists/oss-security/2014/09/26/1

bash-4.2 (as in dora) got patch048 for CVE-2014-6179 and should receive
patch049 as well.

I'm going to send bash 3.2 and 4.2  patches in oe core ml.


On Fri, Sep 26, 2014 at 1:15 AM, Burton, Ross <ross.burton@intel.com> wrote:

> On 25 September 2014 23:48, Mark Hatle <mark.hatle@windriver.com> wrote:
> > So I would recommend that someone get the 025 patch (don't forget to
> patch
> > bash 3.2 as well) in.. and we should wait until their is an official one
> for
> > 7169.
>
> Agreed, and patches sent.
>
> Ross
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>



-- 
--
:: e n d i a n
:: security with passion

:: Francesco Del Degan
:: software engineer
:: http://www.endian.com  :: f.deldegan (AT) endian.com

[-- Attachment #2: Type: text/html, Size: 2093 bytes --]

Re: [PATCH] bash: update to latest (025) patchset (fixes CVE-2014-6271)

[Francesco Del Degan]

[-- Attachment #1: Type: text/plain, Size: 1318 bytes --]

Ross, I picked up all set of patches because i saw in dora

http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-extended/bash/bash_4.2.bb?h=dora

it was made in that way, so i assumed that it was the way to go.

Furthermore, analyzing the entire patchset it fixes several hangs, loops
and other bugs, so it would be interesting to have more fixed bash as well.

Last reason, is that PATCHLEVEL macro is printed out as well, so it would
be easily recognizable to have

GNU bash, version 4.3.25(1)-release

in bash --version output and just see that is good revision.




On Fri, Sep 26, 2014 at 12:40 AM, Burton, Ross <ross.burton@intel.com>
wrote:

> Hu Francesco,
>
> On 25 September 2014 11:35, Francesco Del Degan <f.deldegan@endian.com>
> wrote:
> > Updated to reflect the latest patchset in bash 4.3.
> > Fixes the CVE-2014-6271.
>
> I'm hearing that this isn't a complete fix, so lets wait for more patches.
>
> Is it possible to cherry-pick just the security fixes, instead of
> every patch they've released?
>
> Finally, patches for oe-core should go to openembedded-core@, not yocto@.
>
> Ross
>



-- 
--
:: e n d i a n
:: security with passion

:: Francesco Del Degan
:: software engineer
:: http://www.endian.com  :: f.deldegan (AT) endian.com

[-- Attachment #2: Type: text/html, Size: 2371 bytes --]

Re: [OE-core] [PATCH] bash: update to latest (025) patchset (fixes CVE-2014-6271)

[Mark Hatle]

On 9/25/14, 10:00 PM, Francesco Del Degan wrote:
> Yes, patch 026 that fixes CVE-2014-7169 is underway, should be pushed out today:
>
> http://www.openwall.com/lists/oss-security/2014/09/26/1
>
> bash-4.2 (as in dora) got patch048 for CVE-2014-6179 and should receive patch049
> as well.
>
> I'm going to send bash 3.2 and 4.2  patches in oe core ml.

There are two additional issues as well.

CVE-2014-7186 - bash: parser can allow out-of-bounds memory access while
handling redir_stack

CVE-2014-7187 - bash: off-by-one error in deeply nested flow control constructs

(The above two are so new they are not yet published on the CVE web sites.)

A patch for these has been posted to the oss-security list, but has not yet been 
validated by the bash maintainer.

We'll need to watch for this as well.

--Mark

>
> On Fri, Sep 26, 2014 at 1:15 AM, Burton, Ross <ross.burton@intel.com
> <mailto:ross.burton@intel.com>> wrote:
>
>     On 25 September 2014 23:48, Mark Hatle <mark.hatle@windriver.com
>     <mailto:mark.hatle@windriver.com>> wrote:
>     > So I would recommend that someone get the 025 patch (don't forget to patch
>     > bash 3.2 as well) in.. and we should wait until their is an official one for
>     > 7169.
>
>     Agreed, and patches sent.
>
>     Ross
>     --
>     _______________________________________________
>     yocto mailing list
>     yocto@yoctoproject.org <mailto:yocto@yoctoproject.org>
>     https://lists.yoctoproject.org/listinfo/yocto
>
>
>
>
> --
> --
> :: e n d i a n
> :: security with passion
>
> :: Francesco Del Degan
> :: software engineer
> :: http://www.endian.com <http://www.endian.com/>  :: f.deldegan (AT) endian.com
> <http://endian.com/>
>
>