* [dora] [PATCH 0/3] fixes for bash and apmd
@ 2014-10-02 7:07 Robert Yang
2014-10-02 7:07 ` [PATCH 1/3] apmd.service: Fix typo (not mandatory EnvironmentFile prefix) Robert Yang
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Robert Yang @ 2014-10-02 7:07 UTC (permalink / raw)
To: openembedded-core
The following changes since commit 5c51dd2e9bab54013652475888554bc4660dcff3:
qt4: Fix Qt 4.8.5 source to new location (2014-08-11 12:08:03 +0100)
are available in the git repository at:
git://git.openembedded.org/openembedded-core-contrib robert/dora-next
http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=robert/dora-next
Khem Raj (1):
bash: Fix CVE-2014-7169
Ross Burton (1):
bash: fix CVE-2014-6271
Tobias Blom (1):
apmd.service: Fix typo (not mandatory EnvironmentFile prefix)
meta/recipes-bsp/apmd/apmd-3.2.2-14/apmd.service | 2 +-
.../bash/bash-3.2.48/cve-2014-6271.patch | 77 ++++++++++++++++++++
.../bash/bash-3.2.48/cve-2014-7169.patch | 16 ++++
meta/recipes-extended/bash/bash_3.2.48.bb | 2 +
4 files changed, 96 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch
create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch
--
1.7.9.5
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH 1/3] apmd.service: Fix typo (not mandatory EnvironmentFile prefix) 2014-10-02 7:07 [dora] [PATCH 0/3] fixes for bash and apmd Robert Yang @ 2014-10-02 7:07 ` Robert Yang 2014-10-02 7:07 ` [PATCH 2/3] bash: fix CVE-2014-6271 Robert Yang 2014-10-02 7:07 ` [PATCH 3/3] bash: Fix CVE-2014-7169 Robert Yang 2 siblings, 0 replies; 7+ messages in thread From: Robert Yang @ 2014-10-02 7:07 UTC (permalink / raw) To: openembedded-core From: Tobias Blom <tobias.blom@techne-dev.se> Prefix to EnvironmentFile should be preciding the filenamn. (From OE-Core rev: 1f694e4cb493b0737b6009382c0957e6837ebbed) Signed-off-by: Tobias Blom <tobias.blom@techne-dev.se> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> --- meta/recipes-bsp/apmd/apmd-3.2.2-14/apmd.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-bsp/apmd/apmd-3.2.2-14/apmd.service b/meta/recipes-bsp/apmd/apmd-3.2.2-14/apmd.service index 62d6af1..ffab823 100644 --- a/meta/recipes-bsp/apmd/apmd-3.2.2-14/apmd.service +++ b/meta/recipes-bsp/apmd/apmd-3.2.2-14/apmd.service @@ -3,5 +3,5 @@ Description=Advanced Power Management daemon After=remote-fs.target [Service] -EnvironmentFile-= @SYSCONFDIR@/default/apmd +EnvironmentFile=-@SYSCONFDIR@/default/apmd ExecStart=@SBINDIR@/apmd -P @SYSCONFDIR@/apm/apmd_proxy $APMD -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/3] bash: fix CVE-2014-6271 2014-10-02 7:07 [dora] [PATCH 0/3] fixes for bash and apmd Robert Yang 2014-10-02 7:07 ` [PATCH 1/3] apmd.service: Fix typo (not mandatory EnvironmentFile prefix) Robert Yang @ 2014-10-02 7:07 ` Robert Yang 2014-10-02 7:07 ` [PATCH 3/3] bash: Fix CVE-2014-7169 Robert Yang 2 siblings, 0 replies; 7+ messages in thread From: Robert Yang @ 2014-10-02 7:07 UTC (permalink / raw) To: openembedded-core From: Ross Burton <ross.burton@intel.com> CVE-2014-6271 aka ShellShock. "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment." (From OE-Core master rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> --- .../bash/bash-3.2.48/cve-2014-6271.patch | 77 ++++++++++++++++++++ meta/recipes-extended/bash/bash_3.2.48.bb | 1 + 2 files changed, 78 insertions(+) create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch new file mode 100644 index 0000000..7226ffb --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch @@ -0,0 +1,77 @@ +Fix CVE-2014-6271, aka ShellShock. + +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +*** ../bash-3.2.51/builtins/common.h 2006-03-06 09:38:44.000000000 -0500 +--- builtins/common.h 2014-09-16 19:08:02.000000000 -0400 +*************** +*** 34,37 **** +--- 34,39 ---- + + /* Flags for describe_command, shared between type.def and command.def */ ++ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ ++ #define SEVAL_ONECMD 0x100 /* only allow a single command */ + #define CDESC_ALL 0x001 /* type -a */ + #define CDESC_SHORTDESC 0x002 /* command -V */ +*** ../bash-3.2.51/builtins/evalstring.c 2008-11-15 17:47:04.000000000 -0500 +--- builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400 +*************** +*** 235,238 **** +--- 235,246 ---- + struct fd_bitmap *bitmap; + ++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) ++ { ++ internal_warning ("%s: ignoring function definition attempt", from_file); ++ should_jump_to_top_level = 0; ++ last_result = last_command_exit_value = EX_BADUSAGE; ++ break; ++ } ++ + bitmap = new_fd_bitmap (FD_BITMAP_SIZE); + begin_unwind_frame ("pe_dispose"); +*************** +*** 292,295 **** +--- 300,306 ---- + dispose_fd_bitmap (bitmap); + discard_unwind_frame ("pe_dispose"); ++ ++ if (flags & SEVAL_ONECMD) ++ break; + } + } +*** ../bash-3.2.51/variables.c 2008-11-15 17:15:06.000000000 -0500 +--- variables.c 2014-09-16 19:10:39.000000000 -0400 +*************** +*** 319,328 **** + strcpy (temp_string + char_index + 1, string); + +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); +! +! /* Ancient backwards compatibility. Old versions of bash exported +! functions like name()=() {...} */ +! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') +! name[char_index - 2] = '\0'; + + if (temp_var = find_function (name)) +--- 319,326 ---- + strcpy (temp_string + char_index + 1, string); + +! /* Don't import function names that are invalid identifiers from the +! environment. */ +! if (legal_identifier (name)) +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + + if (temp_var = find_function (name)) +*************** +*** 333,340 **** + else + report_error (_("error importing function definition for `%s'"), name); +- +- /* ( */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') +- name[char_index - 2] = '('; /* ) */ + } + #if defined (ARRAY_VARS) +--- 331,334 ---- diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb index fe04b28..5849ed0 100644 --- a/meta/recipes-extended/bash/bash_3.2.48.bb +++ b/meta/recipes-extended/bash/bash_3.2.48.bb @@ -12,6 +12,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \ file://mkbuiltins_have_stringize.patch \ file://build-tests.patch \ file://test-output.patch \ + file://cve-2014-6271.patch;striplevel=0 \ file://run-ptest \ " -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/3] bash: Fix CVE-2014-7169 2014-10-02 7:07 [dora] [PATCH 0/3] fixes for bash and apmd Robert Yang 2014-10-02 7:07 ` [PATCH 1/3] apmd.service: Fix typo (not mandatory EnvironmentFile prefix) Robert Yang 2014-10-02 7:07 ` [PATCH 2/3] bash: fix CVE-2014-6271 Robert Yang @ 2014-10-02 7:07 ` Robert Yang 2014-10-02 12:28 ` Paul Eggleton 2 siblings, 1 reply; 7+ messages in thread From: Robert Yang @ 2014-10-02 7:07 UTC (permalink / raw) To: openembedded-core From: Khem Raj <raj.khem@gmail.com> This is a followup patch to incomplete CVE-2014-6271 fix code execution via specially-crafted environment Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed (From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> --- .../bash/bash-3.2.48/cve-2014-7169.patch | 16 ++++++++++++++++ meta/recipes-extended/bash/bash_3.2.48.bb | 1 + 2 files changed, 17 insertions(+) create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch new file mode 100644 index 0000000..2e734de --- /dev/null +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch @@ -0,0 +1,16 @@ +Taken from http://www.openwall.com/lists/oss-security/2016/09/25/10 + +Upstream-Status: Backport +Index: bash-3.2.48/parse.y +=================================================================== +--- bash-3.2.48.orig/parse.y 2008-04-29 18:24:55.000000000 -0700 ++++ bash-3.2.48/parse.y 2014-09-26 13:07:31.956080056 -0700 +@@ -2503,6 +2503,8 @@ + FREE (word_desc_to_read); + word_desc_to_read = (WORD_DESC *)NULL; + ++ eol_ungetc_lookahead = 0; ++ + last_read_token = '\n'; + token_to_read = '\n'; + } diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb index 5849ed0..e6a04cd 100644 --- a/meta/recipes-extended/bash/bash_3.2.48.bb +++ b/meta/recipes-extended/bash/bash_3.2.48.bb @@ -13,6 +13,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \ file://build-tests.patch \ file://test-output.patch \ file://cve-2014-6271.patch;striplevel=0 \ + file://cve-2014-7169.patch \ file://run-ptest \ " -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 3/3] bash: Fix CVE-2014-7169 2014-10-02 7:07 ` [PATCH 3/3] bash: Fix CVE-2014-7169 Robert Yang @ 2014-10-02 12:28 ` Paul Eggleton 2014-10-02 14:28 ` Paul Eggleton 0 siblings, 1 reply; 7+ messages in thread From: Paul Eggleton @ 2014-10-02 12:28 UTC (permalink / raw) To: Robert Yang; +Cc: openembedded-core On Thursday 02 October 2014 00:07:41 Robert Yang wrote: > From: Khem Raj <raj.khem@gmail.com> > > This is a followup patch to incomplete CVE-2014-6271 fix > code execution via specially-crafted environment > > Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed > (From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc) > > Signed-off-by: Khem Raj <raj.khem@gmail.com> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > Signed-off-by: Robert Yang <liezhi.yang@windriver.com> > --- > .../bash/bash-3.2.48/cve-2014-7169.patch | 16 ++++++++++++++++ > meta/recipes-extended/bash/bash_3.2.48.bb | 1 + > 2 files changed, 17 insertions(+) > create mode 100644 > meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch > > diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch > b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch new file mode > 100644 > index 0000000..2e734de > --- /dev/null > +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch > @@ -0,0 +1,16 @@ > +Taken from http://www.openwall.com/lists/oss-security/2016/09/25/10 > + > +Upstream-Status: Backport > +Index: bash-3.2.48/parse.y > +=================================================================== > +--- bash-3.2.48.orig/parse.y 2008-04-29 18:24:55.000000000 -0700 > ++++ bash-3.2.48/parse.y 2014-09-26 13:07:31.956080056 -0700 > +@@ -2503,6 +2503,8 @@ > + FREE (word_desc_to_read); > + word_desc_to_read = (WORD_DESC *)NULL; > + > ++ eol_ungetc_lookahead = 0; > ++ > + last_read_token = '\n'; > + token_to_read = '\n'; > + } > diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb > b/meta/recipes-extended/bash/bash_3.2.48.bb index 5849ed0..e6a04cd 100644 > --- a/meta/recipes-extended/bash/bash_3.2.48.bb > +++ b/meta/recipes-extended/bash/bash_3.2.48.bb > @@ -13,6 +13,7 @@ SRC_URI = > "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \ > file://build-tests.patch \ > file://test-output.patch \ > file://cve-2014-6271.patch;striplevel=0 \ > + file://cve-2014-7169.patch \ > file://run-ptest \ > " Unfortunately these two only patch the 3.x version of the bash recipe, leaving the 4.x version unpatched. Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 3/3] bash: Fix CVE-2014-7169 2014-10-02 12:28 ` Paul Eggleton @ 2014-10-02 14:28 ` Paul Eggleton 2014-10-08 3:53 ` Robert Yang 0 siblings, 1 reply; 7+ messages in thread From: Paul Eggleton @ 2014-10-02 14:28 UTC (permalink / raw) To: Robert Yang; +Cc: openembedded-core On Thursday 02 October 2014 13:28:54 Paul Eggleton wrote: > On Thursday 02 October 2014 00:07:41 Robert Yang wrote: > > From: Khem Raj <raj.khem@gmail.com> > > > > This is a followup patch to incomplete CVE-2014-6271 fix > > code execution via specially-crafted environment > > > > Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed > > (From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc) > > > > Signed-off-by: Khem Raj <raj.khem@gmail.com> > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > > Signed-off-by: Robert Yang <liezhi.yang@windriver.com> > > --- > > > > .../bash/bash-3.2.48/cve-2014-7169.patch | 16 > > ++++++++++++++++ > > meta/recipes-extended/bash/bash_3.2.48.bb | 1 + > > 2 files changed, 17 insertions(+) > > create mode 100644 > > > > meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch > > > > diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch > > b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch new file mode > > 100644 > > index 0000000..2e734de > > --- /dev/null > > +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch > > @@ -0,0 +1,16 @@ > > +Taken from http://www.openwall.com/lists/oss-security/2016/09/25/10 > > + > > +Upstream-Status: Backport > > +Index: bash-3.2.48/parse.y > > +=================================================================== > > +--- bash-3.2.48.orig/parse.y 2008-04-29 18:24:55.000000000 -0700 > > ++++ bash-3.2.48/parse.y 2014-09-26 13:07:31.956080056 -0700 > > +@@ -2503,6 +2503,8 @@ > > + FREE (word_desc_to_read); > > + word_desc_to_read = (WORD_DESC *)NULL; > > + > > ++ eol_ungetc_lookahead = 0; > > ++ > > + last_read_token = '\n'; > > + token_to_read = '\n'; > > + } > > diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb > > b/meta/recipes-extended/bash/bash_3.2.48.bb index 5849ed0..e6a04cd 100644 > > --- a/meta/recipes-extended/bash/bash_3.2.48.bb > > +++ b/meta/recipes-extended/bash/bash_3.2.48.bb > > @@ -13,6 +13,7 @@ SRC_URI = > > "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \ > > file://build-tests.patch \ > > > > file://test-output.patch \ > > file://cve-2014-6271.patch;striplevel=0 \ > > > > + file://cve-2014-7169.patch \ > > > > file://run-ptest \ > > > > " > > Unfortunately these two only patch the 3.x version of the bash recipe, > leaving the 4.x version unpatched. I have just sent fixes for this. Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 3/3] bash: Fix CVE-2014-7169 2014-10-02 14:28 ` Paul Eggleton @ 2014-10-08 3:53 ` Robert Yang 0 siblings, 0 replies; 7+ messages in thread From: Robert Yang @ 2014-10-08 3:53 UTC (permalink / raw) To: Paul Eggleton; +Cc: openembedded-core On 10/02/2014 10:28 PM, Paul Eggleton wrote: > On Thursday 02 October 2014 13:28:54 Paul Eggleton wrote: >> On Thursday 02 October 2014 00:07:41 Robert Yang wrote: >>> From: Khem Raj <raj.khem@gmail.com> >>> >>> This is a followup patch to incomplete CVE-2014-6271 fix >>> code execution via specially-crafted environment >>> >>> Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed >>> (From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc) >>> >>> Signed-off-by: Khem Raj <raj.khem@gmail.com> >>> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> >>> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> >>> --- >>> >>> .../bash/bash-3.2.48/cve-2014-7169.patch | 16 >>> ++++++++++++++++ >>> meta/recipes-extended/bash/bash_3.2.48.bb | 1 + >>> 2 files changed, 17 insertions(+) >>> create mode 100644 >>> >>> meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch >>> >>> diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch >>> b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch new file mode >>> 100644 >>> index 0000000..2e734de >>> --- /dev/null >>> +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch >>> @@ -0,0 +1,16 @@ >>> +Taken from http://www.openwall.com/lists/oss-security/2016/09/25/10 >>> + >>> +Upstream-Status: Backport >>> +Index: bash-3.2.48/parse.y >>> +=================================================================== >>> +--- bash-3.2.48.orig/parse.y 2008-04-29 18:24:55.000000000 -0700 >>> ++++ bash-3.2.48/parse.y 2014-09-26 13:07:31.956080056 -0700 >>> +@@ -2503,6 +2503,8 @@ >>> + FREE (word_desc_to_read); >>> + word_desc_to_read = (WORD_DESC *)NULL; >>> + >>> ++ eol_ungetc_lookahead = 0; >>> ++ >>> + last_read_token = '\n'; >>> + token_to_read = '\n'; >>> + } >>> diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb >>> b/meta/recipes-extended/bash/bash_3.2.48.bb index 5849ed0..e6a04cd 100644 >>> --- a/meta/recipes-extended/bash/bash_3.2.48.bb >>> +++ b/meta/recipes-extended/bash/bash_3.2.48.bb >>> @@ -13,6 +13,7 @@ SRC_URI = >>> "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \ >>> file://build-tests.patch \ >>> >>> file://test-output.patch \ >>> file://cve-2014-6271.patch;striplevel=0 \ >>> >>> + file://cve-2014-7169.patch \ >>> >>> file://run-ptest \ >>> >>> " >> >> Unfortunately these two only patch the 3.x version of the bash recipe, >> leaving the 4.x version unpatched. > > I have just sent fixes for this. > Thank you very much, I just came back from the holiday. // Robert > Cheers, > Paul > ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-10-08 3:53 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-10-02 7:07 [dora] [PATCH 0/3] fixes for bash and apmd Robert Yang 2014-10-02 7:07 ` [PATCH 1/3] apmd.service: Fix typo (not mandatory EnvironmentFile prefix) Robert Yang 2014-10-02 7:07 ` [PATCH 2/3] bash: fix CVE-2014-6271 Robert Yang 2014-10-02 7:07 ` [PATCH 3/3] bash: Fix CVE-2014-7169 Robert Yang 2014-10-02 12:28 ` Paul Eggleton 2014-10-02 14:28 ` Paul Eggleton 2014-10-08 3:53 ` Robert Yang
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox