[dora] [PATCH 0/3] fixes for bash and apmd

[dora] [PATCH 0/3] fixes for bash and apmd

[Robert Yang]

The following changes since commit 5c51dd2e9bab54013652475888554bc4660dcff3:

  qt4: Fix Qt 4.8.5 source to new location (2014-08-11 12:08:03 +0100)

are available in the git repository at:

  git://git.openembedded.org/openembedded-core-contrib robert/dora-next
  http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=robert/dora-next

Khem Raj (1):
  bash: Fix CVE-2014-7169

Ross Burton (1):
  bash: fix CVE-2014-6271

Tobias Blom (1):
  apmd.service: Fix typo (not mandatory EnvironmentFile prefix)

 meta/recipes-bsp/apmd/apmd-3.2.2-14/apmd.service   |    2 +-
 .../bash/bash-3.2.48/cve-2014-6271.patch           |   77 ++++++++++++++++++++
 .../bash/bash-3.2.48/cve-2014-7169.patch           |   16 ++++
 meta/recipes-extended/bash/bash_3.2.48.bb          |    2 +
 4 files changed, 96 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch
 create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch

-- 
1.7.9.5

[PATCH 1/3] apmd.service: Fix typo (not mandatory EnvironmentFile prefix)

[Robert Yang]

From: Tobias Blom <tobias.blom@techne-dev.se>

Prefix to EnvironmentFile should be preciding the filenamn.

(From OE-Core rev: 1f694e4cb493b0737b6009382c0957e6837ebbed)

Signed-off-by: Tobias Blom <tobias.blom@techne-dev.se>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-bsp/apmd/apmd-3.2.2-14/apmd.service |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-bsp/apmd/apmd-3.2.2-14/apmd.service b/meta/recipes-bsp/apmd/apmd-3.2.2-14/apmd.service
index 62d6af1..ffab823 100644
--- a/meta/recipes-bsp/apmd/apmd-3.2.2-14/apmd.service
+++ b/meta/recipes-bsp/apmd/apmd-3.2.2-14/apmd.service
@@ -3,5 +3,5 @@ Description=Advanced Power Management daemon
 After=remote-fs.target
 
 [Service]
-EnvironmentFile-= @SYSCONFDIR@/default/apmd
+EnvironmentFile=-@SYSCONFDIR@/default/apmd
 ExecStart=@SBINDIR@/apmd -P @SYSCONFDIR@/apm/apmd_proxy $APMD
-- 
1.7.9.5

[PATCH 2/3] bash: fix CVE-2014-6271

[Robert Yang]

From: Ross Burton <ross.burton@intel.com>

CVE-2014-6271 aka ShellShock.

"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."

(From OE-Core master rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
 .../bash/bash-3.2.48/cve-2014-6271.patch           |   77 ++++++++++++++++++++
 meta/recipes-extended/bash/bash_3.2.48.bb          |    1 +
 2 files changed, 78 insertions(+)
 create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch

diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch
new file mode 100644
index 0000000..7226ffb
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch
@@ -0,0 +1,77 @@
+Fix CVE-2014-6271, aka ShellShock.
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+*** ../bash-3.2.51/builtins/common.h	2006-03-06 09:38:44.000000000 -0500
+--- builtins/common.h	2014-09-16 19:08:02.000000000 -0400
+***************
+*** 34,37 ****
+--- 34,39 ----
+  
+  /* Flags for describe_command, shared between type.def and command.def */
++ #define SEVAL_FUNCDEF	0x080		/* only allow function definitions */
++ #define SEVAL_ONECMD	0x100		/* only allow a single command */
+  #define CDESC_ALL		0x001	/* type -a */
+  #define CDESC_SHORTDESC		0x002	/* command -V */
+*** ../bash-3.2.51/builtins/evalstring.c	2008-11-15 17:47:04.000000000 -0500
+--- builtins/evalstring.c	2014-09-16 19:08:02.000000000 -0400
+***************
+*** 235,238 ****
+--- 235,246 ----
+  	      struct fd_bitmap *bitmap;
+  
++ 	      if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
++ 		{
++ 		  internal_warning ("%s: ignoring function definition attempt", from_file);
++ 		  should_jump_to_top_level = 0;
++ 		  last_result = last_command_exit_value = EX_BADUSAGE;
++ 		  break;
++ 		}
++ 
+  	      bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+  	      begin_unwind_frame ("pe_dispose");
+***************
+*** 292,295 ****
+--- 300,306 ----
+  	      dispose_fd_bitmap (bitmap);
+  	      discard_unwind_frame ("pe_dispose");
++ 
++ 	      if (flags & SEVAL_ONECMD)
++ 		break;
+  	    }
+  	}
+*** ../bash-3.2.51/variables.c	2008-11-15 17:15:06.000000000 -0500
+--- variables.c	2014-09-16 19:10:39.000000000 -0400
+***************
+*** 319,328 ****
+  	  strcpy (temp_string + char_index + 1, string);
+  
+! 	  parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+! 
+! 	  /* Ancient backwards compatibility.  Old versions of bash exported
+! 	     functions like name()=() {...} */
+! 	  if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+! 	    name[char_index - 2] = '\0';
+  
+  	  if (temp_var = find_function (name))
+--- 319,326 ----
+  	  strcpy (temp_string + char_index + 1, string);
+  
+! 	  /* Don't import function names that are invalid identifiers from the
+! 	     environment. */
+! 	  if (legal_identifier (name))
+! 	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+  
+  	  if (temp_var = find_function (name))
+***************
+*** 333,340 ****
+  	  else
+  	    report_error (_("error importing function definition for `%s'"), name);
+- 
+- 	  /* ( */
+- 	  if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+- 	    name[char_index - 2] = '(';		/* ) */
+  	}
+  #if defined (ARRAY_VARS)
+--- 331,334 ----
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
index fe04b28..5849ed0 100644
--- a/meta/recipes-extended/bash/bash_3.2.48.bb
+++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -12,6 +12,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
            file://mkbuiltins_have_stringize.patch \
            file://build-tests.patch \
            file://test-output.patch \
+           file://cve-2014-6271.patch;striplevel=0 \
            file://run-ptest \
           "
 
-- 
1.7.9.5

[PATCH 3/3] bash: Fix CVE-2014-7169

[Robert Yang]

From: Khem Raj <raj.khem@gmail.com>

This is a followup patch to incomplete CVE-2014-6271 fix
code execution via specially-crafted environment

Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
(From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
 .../bash/bash-3.2.48/cve-2014-7169.patch           |   16 ++++++++++++++++
 meta/recipes-extended/bash/bash_3.2.48.bb          |    1 +
 2 files changed, 17 insertions(+)
 create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch

diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch
new file mode 100644
index 0000000..2e734de
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch
@@ -0,0 +1,16 @@
+Taken from http://www.openwall.com/lists/oss-security/2016/09/25/10
+
+Upstream-Status: Backport
+Index: bash-3.2.48/parse.y
+===================================================================
+--- bash-3.2.48.orig/parse.y	2008-04-29 18:24:55.000000000 -0700
++++ bash-3.2.48/parse.y	2014-09-26 13:07:31.956080056 -0700
+@@ -2503,6 +2503,8 @@
+   FREE (word_desc_to_read);
+   word_desc_to_read = (WORD_DESC *)NULL;
+ 
++  eol_ungetc_lookahead = 0;
++
+   last_read_token = '\n';
+   token_to_read = '\n';
+ }
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
index 5849ed0..e6a04cd 100644
--- a/meta/recipes-extended/bash/bash_3.2.48.bb
+++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -13,6 +13,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
            file://build-tests.patch \
            file://test-output.patch \
            file://cve-2014-6271.patch;striplevel=0 \
+           file://cve-2014-7169.patch \
            file://run-ptest \
           "
 
-- 
1.7.9.5

Re: [PATCH 3/3] bash: Fix CVE-2014-7169

[Paul Eggleton]

On Thursday 02 October 2014 00:07:41 Robert Yang wrote:
> From: Khem Raj <raj.khem@gmail.com>
> 
> This is a followup patch to incomplete CVE-2014-6271 fix
> code execution via specially-crafted environment
> 
> Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
> (From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc)
> 
> Signed-off-by: Khem Raj <raj.khem@gmail.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> ---
>  .../bash/bash-3.2.48/cve-2014-7169.patch           |   16 ++++++++++++++++
>  meta/recipes-extended/bash/bash_3.2.48.bb          |    1 +
>  2 files changed, 17 insertions(+)
>  create mode 100644
> meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch
> 
> diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch
> b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch new file mode
> 100644
> index 0000000..2e734de
> --- /dev/null
> +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch
> @@ -0,0 +1,16 @@
> +Taken from http://www.openwall.com/lists/oss-security/2016/09/25/10
> +
> +Upstream-Status: Backport
> +Index: bash-3.2.48/parse.y
> +===================================================================
> +--- bash-3.2.48.orig/parse.y	2008-04-29 18:24:55.000000000 -0700
> ++++ bash-3.2.48/parse.y	2014-09-26 13:07:31.956080056 -0700
> +@@ -2503,6 +2503,8 @@
> +   FREE (word_desc_to_read);
> +   word_desc_to_read = (WORD_DESC *)NULL;
> +
> ++  eol_ungetc_lookahead = 0;
> ++
> +   last_read_token = '\n';
> +   token_to_read = '\n';
> + }
> diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb
> b/meta/recipes-extended/bash/bash_3.2.48.bb index 5849ed0..e6a04cd 100644
> --- a/meta/recipes-extended/bash/bash_3.2.48.bb
> +++ b/meta/recipes-extended/bash/bash_3.2.48.bb
> @@ -13,6 +13,7 @@ SRC_URI =
> "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
> file://build-tests.patch \
>             file://test-output.patch \
>             file://cve-2014-6271.patch;striplevel=0 \
> +           file://cve-2014-7169.patch \
>             file://run-ptest \
>            "

Unfortunately these two only patch the 3.x version of the bash recipe, leaving 
the 4.x version unpatched.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: [PATCH 3/3] bash: Fix CVE-2014-7169

[Paul Eggleton]

On Thursday 02 October 2014 13:28:54 Paul Eggleton wrote:
> On Thursday 02 October 2014 00:07:41 Robert Yang wrote:
> > From: Khem Raj <raj.khem@gmail.com>
> > 
> > This is a followup patch to incomplete CVE-2014-6271 fix
> > code execution via specially-crafted environment
> > 
> > Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
> > (From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc)
> > 
> > Signed-off-by: Khem Raj <raj.khem@gmail.com>
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> > ---
> > 
> >  .../bash/bash-3.2.48/cve-2014-7169.patch           |   16
> >  ++++++++++++++++
> >  meta/recipes-extended/bash/bash_3.2.48.bb          |    1 +
> >  2 files changed, 17 insertions(+)
> >  create mode 100644
> > 
> > meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch
> > 
> > diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch
> > b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch new file mode
> > 100644
> > index 0000000..2e734de
> > --- /dev/null
> > +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch
> > @@ -0,0 +1,16 @@
> > +Taken from http://www.openwall.com/lists/oss-security/2016/09/25/10
> > +
> > +Upstream-Status: Backport
> > +Index: bash-3.2.48/parse.y
> > +===================================================================
> > +--- bash-3.2.48.orig/parse.y	2008-04-29 18:24:55.000000000 -0700
> > ++++ bash-3.2.48/parse.y	2014-09-26 13:07:31.956080056 -0700
> > +@@ -2503,6 +2503,8 @@
> > +   FREE (word_desc_to_read);
> > +   word_desc_to_read = (WORD_DESC *)NULL;
> > +
> > ++  eol_ungetc_lookahead = 0;
> > ++
> > +   last_read_token = '\n';
> > +   token_to_read = '\n';
> > + }
> > diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb
> > b/meta/recipes-extended/bash/bash_3.2.48.bb index 5849ed0..e6a04cd 100644
> > --- a/meta/recipes-extended/bash/bash_3.2.48.bb
> > +++ b/meta/recipes-extended/bash/bash_3.2.48.bb
> > @@ -13,6 +13,7 @@ SRC_URI =
> > "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
> > file://build-tests.patch \
> > 
> >             file://test-output.patch \
> >             file://cve-2014-6271.patch;striplevel=0 \
> > 
> > +           file://cve-2014-7169.patch \
> > 
> >             file://run-ptest \
> >            
> >            "
> 
> Unfortunately these two only patch the 3.x version of the bash recipe,
> leaving the 4.x version unpatched.

I have just sent fixes for this.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: [PATCH 3/3] bash: Fix CVE-2014-7169

[Robert Yang]

On 10/02/2014 10:28 PM, Paul Eggleton wrote:
> On Thursday 02 October 2014 13:28:54 Paul Eggleton wrote:
>> On Thursday 02 October 2014 00:07:41 Robert Yang wrote:
>>> From: Khem Raj <raj.khem@gmail.com>
>>>
>>> This is a followup patch to incomplete CVE-2014-6271 fix
>>> code execution via specially-crafted environment
>>>
>>> Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
>>> (From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc)
>>>
>>> Signed-off-by: Khem Raj <raj.khem@gmail.com>
>>> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>>> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
>>> ---
>>>
>>>   .../bash/bash-3.2.48/cve-2014-7169.patch           |   16
>>>   ++++++++++++++++
>>>   meta/recipes-extended/bash/bash_3.2.48.bb          |    1 +
>>>   2 files changed, 17 insertions(+)
>>>   create mode 100644
>>>
>>> meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch
>>>
>>> diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch
>>> b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch new file mode
>>> 100644
>>> index 0000000..2e734de
>>> --- /dev/null
>>> +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7169.patch
>>> @@ -0,0 +1,16 @@
>>> +Taken from http://www.openwall.com/lists/oss-security/2016/09/25/10
>>> +
>>> +Upstream-Status: Backport
>>> +Index: bash-3.2.48/parse.y
>>> +===================================================================
>>> +--- bash-3.2.48.orig/parse.y	2008-04-29 18:24:55.000000000 -0700
>>> ++++ bash-3.2.48/parse.y	2014-09-26 13:07:31.956080056 -0700
>>> +@@ -2503,6 +2503,8 @@
>>> +   FREE (word_desc_to_read);
>>> +   word_desc_to_read = (WORD_DESC *)NULL;
>>> +
>>> ++  eol_ungetc_lookahead = 0;
>>> ++
>>> +   last_read_token = '\n';
>>> +   token_to_read = '\n';
>>> + }
>>> diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb
>>> b/meta/recipes-extended/bash/bash_3.2.48.bb index 5849ed0..e6a04cd 100644
>>> --- a/meta/recipes-extended/bash/bash_3.2.48.bb
>>> +++ b/meta/recipes-extended/bash/bash_3.2.48.bb
>>> @@ -13,6 +13,7 @@ SRC_URI =
>>> "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
>>> file://build-tests.patch \
>>>
>>>              file://test-output.patch \
>>>              file://cve-2014-6271.patch;striplevel=0 \
>>>
>>> +           file://cve-2014-7169.patch \
>>>
>>>              file://run-ptest \
>>>
>>>             "
>>
>> Unfortunately these two only patch the 3.x version of the bash recipe,
>> leaving the 4.x version unpatched.
>
> I have just sent fixes for this.
>

Thank you very much, I just came back from the holiday.

// Robert

> Cheers,
> Paul
>