[PATCH] bash: CVE-2016-0634

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [PATCH] bash: CVE-2016-0634
@ 2017-04-20  6:38 Zhixiong Chi
  2017-04-20  7:01 ` ✗ patchtest: failure for " Patchwork
  0 siblings, 1 reply; 3+ messages in thread
From: Zhixiong Chi @ 2017-04-20  6:38 UTC (permalink / raw)
  To: openembedded-core

A vulnerability was found in a way bash expands the $HOSTNAME.
Injecting the hostname with malicious code would cause it to run
each time bash expanded \h in the prompt string.

Porting patch from <https://ftp.gnu.org/gnu/bash/bash-4.3-patches/
bash43-047> to solve CVE-2016-0634

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
 meta/recipes-extended/bash/bash_4.3.30.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-extended/bash/bash_4.3.30.bb b/meta/recipes-extended/bash/bash_4.3.30.bb
index e398e87..b40059f 100644
--- a/meta/recipes-extended/bash/bash_4.3.30.bb
+++ b/meta/recipes-extended/bash/bash_4.3.30.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
            ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-044;apply=yes;striplevel=0;name=patch044 \
            ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-045;apply=yes;striplevel=0;name=patch045 \
            ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-046;apply=yes;striplevel=0;name=patch046 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-047;apply=yes;striplevel=0;name=patch047 \
            file://execute_cmd.patch;striplevel=0 \
            file://mkbuiltins_have_stringize.patch \
            file://build-tests.patch \
@@ -68,5 +69,7 @@ SRC_URI[patch045.md5sum] = "4473244ca5abfd4b018ea26dc73e7412"
 SRC_URI[patch045.sha256sum] = "ba6ec3978e9eaa1eb3fabdaf3cc6fdf8c4606ac1c599faaeb4e2d69864150023"
 SRC_URI[patch046.md5sum] = "7e5fb09991c077076b86e0e057798913"
 SRC_URI[patch046.sha256sum] = "b3b456a6b690cd293353f17e22d92a202b3c8bce587ae5f2667c20c9ab6f688f"
+SRC_URI[patch047.md5sum] = "8483153bad1a6f52cadc3bd9a8df7835"
+SRC_URI[patch047.sha256sum] = "c69248de7e78ba6b92f118fe1ef47bc86479d5040fe0b1f908ace1c9e3c67c4a"
 
 BBCLASSEXTEND = "nativesdk"
-- 
1.9.1



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* ✗ patchtest: failure for bash: CVE-2016-0634
  2017-04-20  6:38 [PATCH] bash: CVE-2016-0634 Zhixiong Chi
@ 2017-04-20  7:01 ` Patchwork
  2017-04-25 17:04   ` Leonardo Sandoval
  0 siblings, 1 reply; 3+ messages in thread
From: Patchwork @ 2017-04-20  7:01 UTC (permalink / raw)
  To: Zhixiong Chi; +Cc: openembedded-core

== Series Details ==

Series: bash: CVE-2016-0634
Revision: 1
URL   : https://patchwork.openembedded.org/series/6434/
State : failure

== Summary ==

Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:

* Patch            bash: CVE-2016-0634
 Issue             Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format] 
  Suggested fix    Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"

If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: ✗ patchtest: failure for bash: CVE-2016-0634
  2017-04-20  7:01 ` ✗ patchtest: failure for " Patchwork
@ 2017-04-25 17:04   ` Leonardo Sandoval
  0 siblings, 0 replies; 3+ messages in thread
From: Leonardo Sandoval @ 2017-04-25 17:04 UTC (permalink / raw)
  To: openembedded-core

On Thu, 2017-04-20 at 07:01 +0000, Patchwork wrote:
> == Series Details ==
> 
> Series: bash: CVE-2016-0634
> Revision: 1
> URL   : https://patchwork.openembedded.org/series/6434/
> State : failure
> 
> == Summary ==
> 
> 
> Thank you for submitting this patch series to OpenEmbedded Core. This is
> an automated response. Several tests have been executed on the proposed
> series by patchtest resulting in the following failures:
> 
> 
> 
> * Patch            bash: CVE-2016-0634
>  Issue             Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format] 
>   Suggested fix    Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"
> 
This is another false-positive issue raised by patchtest. No need to
send a second revision. This has been fixed at the patchtest-oe repo
(a3c87df58f76eafcb80b07260f1bcea966eca5ea)

Leo

> 
> 
> If you believe any of these test results are incorrect, please reply to the
> mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
> Otherwise we would appreciate you correcting the issues and submitting a new
> version of the patchset if applicable. Please ensure you add/increment the
> version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
> [PATCH v3] -> ...).
> 
> ---
> Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
> Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
> 




^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2017-04-25 16:56 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-20  6:38 [PATCH] bash: CVE-2016-0634 Zhixiong Chi
2017-04-20  7:01 ` ✗ patchtest: failure for " Patchwork
2017-04-25 17:04   ` Leonardo Sandoval

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox