* [dora][PATCH 1/4] bash: Fix for exported function namespace change
2014-10-12 20:27 [dora][PATCH 0/4] Backport remaining shellshock fixes to dora branch Paul Eggleton
@ 2014-10-12 20:27 ` Paul Eggleton
2014-10-12 20:27 ` [dora][PATCH 2/4] bash: Fix for CVE-2014-7186 and CVE-2014-7187 Paul Eggleton
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Paul Eggleton @ 2014-10-12 20:27 UTC (permalink / raw)
To: openembedded-core
From: Catalin Popeanga <Catalin.Popeanga@enea.com>
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function.
(From OE-Core daisy rev: 6c51cc96d03df26d1c10867633e7a10dfbec7c45)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
---
...r-bash-exported-function-namespace-change.patch | 158 +++++++++++++++
...r-bash-exported-function-namespace-change.patch | 212 +++++++++++++++++++++
meta/recipes-extended/bash/bash_3.2.48.bb | 1 +
meta/recipes-extended/bash/bash_4.2.bb | 1 +
4 files changed, 372 insertions(+)
create mode 100644 meta/recipes-extended/bash/bash-3.2.48/Fix-for-bash-exported-function-namespace-change.patch
create mode 100644 meta/recipes-extended/bash/bash-4.2/Fix-for-bash-exported-function-namespace-change.patch
diff --git a/meta/recipes-extended/bash/bash-3.2.48/Fix-for-bash-exported-function-namespace-change.patch b/meta/recipes-extended/bash/bash-3.2.48/Fix-for-bash-exported-function-namespace-change.patch
new file mode 100644
index 0000000..c087016
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/Fix-for-bash-exported-function-namespace-change.patch
@@ -0,0 +1,158 @@
+Fix for exported function namespace change
+
+Upstream-Status: Backport
+
+Downloaded from: http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-054
+
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 3.2
+Patch-ID: bash32-054
+
+Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+This patch changes the encoding bash uses for exported functions to avoid
+clashes with shell variables and to avoid depending only on an environment
+variable's contents to determine whether or not to interpret it as a shell
+function.
+---
+--- a/variables.c 2014-09-16 19:10:39.000000000 -0400
++++ b/variables.c 2014-09-27 21:02:08.000000000 -0400
+@@ -75,4 +75,9 @@
+ #define ifsname(s) ((s)[0] == 'I' && (s)[1] == 'F' && (s)[2] == 'S' && (s)[3] == '\0')
+
++#define BASHFUNC_PREFIX "BASH_FUNC_"
++#define BASHFUNC_PREFLEN 10 /* == strlen(BASHFUNC_PREFIX */
++#define BASHFUNC_SUFFIX "%%"
++#define BASHFUNC_SUFFLEN 2 /* == strlen(BASHFUNC_SUFFIX) */
++
+ extern char **environ;
+
+@@ -242,5 +247,5 @@
+ static void dispose_temporary_env __P((sh_free_func_t *));
+
+-static inline char *mk_env_string __P((const char *, const char *));
++static inline char *mk_env_string __P((const char *, const char *, int));
+ static char **make_env_array_from_var_list __P((SHELL_VAR **));
+ static char **make_var_export_array __P((VAR_CONTEXT *));
+@@ -310,19 +315,30 @@
+ /* If exported function, define it now. Don't import functions from
+ the environment in privileged mode. */
+- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
++ if (privmode == 0 && read_but_dont_execute == 0 &&
++ STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) &&
++ STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) &&
++ STREQN ("() {", string, 4))
+ {
++ size_t namelen;
++ char *tname; /* desired imported function name */
++
++ namelen = char_index - BASHFUNC_PREFLEN - BASHFUNC_SUFFLEN;
++
++ tname = name + BASHFUNC_PREFLEN; /* start of func name */
++ tname[namelen] = '\0'; /* now tname == func name */
++
+ string_length = strlen (string);
+- temp_string = (char *)xmalloc (3 + string_length + char_index);
++ temp_string = (char *)xmalloc (namelen + string_length + 2);
+
+- strcpy (temp_string, name);
+- temp_string[char_index] = ' ';
+- strcpy (temp_string + char_index + 1, string);
++ memcpy (temp_string, tname, namelen);
++ temp_string[namelen] = ' ';
++ memcpy (temp_string + namelen + 1, string, string_length + 1);
+
+ /* Don't import function names that are invalid identifiers from the
+ environment. */
+- if (legal_identifier (name))
+- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
++ if (absolute_program (tname) == 0 && (posixly_correct == 0 || legal_identifier (tname)))
++ parse_and_execute (temp_string, tname, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+
+- if (temp_var = find_function (name))
++ if (temp_var = find_function (tname))
+ {
+ VSETATTR (temp_var, (att_exported|att_imported));
+@@ -330,5 +346,8 @@
+ }
+ else
+- report_error (_("error importing function definition for `%s'"), name);
++ report_error (_("error importing function definition for `%s'"), tname);
++
++ /* Restore original suffix */
++ tname[namelen] = BASHFUNC_SUFFIX[0];
+ }
+ #if defined (ARRAY_VARS)
+@@ -2208,5 +2227,5 @@
+
+ INVALIDATE_EXPORTSTR (var);
+- var->exportstr = mk_env_string (name, value);
++ var->exportstr = mk_env_string (name, value, 0);
+
+ array_needs_making = 1;
+@@ -2999,19 +3018,40 @@
+
+ static inline char *
+-mk_env_string (name, value)
++mk_env_string (name, value, isfunc)
+ const char *name, *value;
++ int isfunc;
+ {
+- int name_len, value_len;
+- char *p;
++ size_t name_len, value_len;
++ char *p, *q;
+
+ name_len = strlen (name);
+ value_len = STRLEN (value);
+- p = (char *)xmalloc (2 + name_len + value_len);
+- strcpy (p, name);
+- p[name_len] = '=';
++
++ /* If we are exporting a shell function, construct the encoded function
++ name. */
++ if (isfunc && value)
++ {
++ p = (char *)xmalloc (BASHFUNC_PREFLEN + name_len + BASHFUNC_SUFFLEN + value_len + 2);
++ q = p;
++ memcpy (q, BASHFUNC_PREFIX, BASHFUNC_PREFLEN);
++ q += BASHFUNC_PREFLEN;
++ memcpy (q, name, name_len);
++ q += name_len;
++ memcpy (q, BASHFUNC_SUFFIX, BASHFUNC_SUFFLEN);
++ q += BASHFUNC_SUFFLEN;
++ }
++ else
++ {
++ p = (char *)xmalloc (2 + name_len + value_len);
++ memcpy (p, name, name_len);
++ q = p + name_len;
++ }
++
++ q[0] = '=';
+ if (value && *value)
+- strcpy (p + name_len + 1, value);
++ memcpy (q + 1, value, value_len + 1);
+ else
+- p[name_len + 1] = '\0';
++ q[1] = '\0';
++
+ return (p);
+ }
+@@ -3088,5 +3128,5 @@
+ using the cached exportstr... */
+ list[list_index] = USE_EXPORTSTR ? savestring (value)
+- : mk_env_string (var->name, value);
++ : mk_env_string (var->name, value, function_p (var));
+
+ if (USE_EXPORTSTR == 0)
diff --git a/meta/recipes-extended/bash/bash-4.2/Fix-for-bash-exported-function-namespace-change.patch b/meta/recipes-extended/bash/bash-4.2/Fix-for-bash-exported-function-namespace-change.patch
new file mode 100644
index 0000000..0fb2ad5
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-4.2/Fix-for-bash-exported-function-namespace-change.patch
@@ -0,0 +1,212 @@
+Fix for exported function namespace change
+
+Upstream-Status: Backport
+
+Downloaded from: http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-050
+
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+
+
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 4.2
+Patch-ID: bash42-050
+
+Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+This patch changes the encoding bash uses for exported functions to avoid
+clashes with shell variables and to avoid depending only on an environment
+variable's contents to determine whether or not to interpret it as a shell
+function.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.2.49/variables.c 2014-09-16 19:35:45.000000000 -0400
+--- variables.c 2014-09-27 20:54:00.000000000 -0400
+***************
+*** 80,83 ****
+--- 80,88 ----
+ #define ifsname(s) ((s)[0] == 'I' && (s)[1] == 'F' && (s)[2] == 'S' && (s)[3] == '\0')
+
++ #define BASHFUNC_PREFIX "BASH_FUNC_"
++ #define BASHFUNC_PREFLEN 10 /* == strlen(BASHFUNC_PREFIX */
++ #define BASHFUNC_SUFFIX "%%"
++ #define BASHFUNC_SUFFLEN 2 /* == strlen(BASHFUNC_SUFFIX) */
++
+ extern char **environ;
+
+***************
+*** 269,273 ****
+ static void dispose_temporary_env __P((sh_free_func_t *));
+
+! static inline char *mk_env_string __P((const char *, const char *));
+ static char **make_env_array_from_var_list __P((SHELL_VAR **));
+ static char **make_var_export_array __P((VAR_CONTEXT *));
+--- 274,278 ----
+ static void dispose_temporary_env __P((sh_free_func_t *));
+
+! static inline char *mk_env_string __P((const char *, const char *, int));
+ static char **make_env_array_from_var_list __P((SHELL_VAR **));
+ static char **make_var_export_array __P((VAR_CONTEXT *));
+***************
+*** 339,357 ****
+ /* If exported function, define it now. Don't import functions from
+ the environment in privileged mode. */
+! if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
+ {
+ string_length = strlen (string);
+! temp_string = (char *)xmalloc (3 + string_length + char_index);
+
+! strcpy (temp_string, name);
+! temp_string[char_index] = ' ';
+! strcpy (temp_string + char_index + 1, string);
+
+ /* Don't import function names that are invalid identifiers from the
+ environment. */
+! if (legal_identifier (name))
+! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+
+! if (temp_var = find_function (name))
+ {
+ VSETATTR (temp_var, (att_exported|att_imported));
+--- 344,373 ----
+ /* If exported function, define it now. Don't import functions from
+ the environment in privileged mode. */
+! if (privmode == 0 && read_but_dont_execute == 0 &&
+! STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) &&
+! STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) &&
+! STREQN ("() {", string, 4))
+ {
++ size_t namelen;
++ char *tname; /* desired imported function name */
++
++ namelen = char_index - BASHFUNC_PREFLEN - BASHFUNC_SUFFLEN;
++
++ tname = name + BASHFUNC_PREFLEN; /* start of func name */
++ tname[namelen] = '\0'; /* now tname == func name */
++
+ string_length = strlen (string);
+! temp_string = (char *)xmalloc (namelen + string_length + 2);
+
+! memcpy (temp_string, tname, namelen);
+! temp_string[namelen] = ' ';
+! memcpy (temp_string + namelen + 1, string, string_length + 1);
+
+ /* Don't import function names that are invalid identifiers from the
+ environment. */
+! if (absolute_program (tname) == 0 && (posixly_correct == 0 || legal_identifier (tname)))
+! parse_and_execute (temp_string, tname, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+
+! if (temp_var = find_function (tname))
+ {
+ VSETATTR (temp_var, (att_exported|att_imported));
+***************
+*** 359,363 ****
+ }
+ else
+! report_error (_("error importing function definition for `%s'"), name);
+ }
+ #if defined (ARRAY_VARS)
+--- 375,382 ----
+ }
+ else
+! report_error (_("error importing function definition for `%s'"), tname);
+!
+! /* Restore original suffix */
+! tname[namelen] = BASHFUNC_SUFFIX[0];
+ }
+ #if defined (ARRAY_VARS)
+***************
+*** 2538,2542 ****
+
+ INVALIDATE_EXPORTSTR (var);
+! var->exportstr = mk_env_string (name, value);
+
+ array_needs_making = 1;
+--- 2557,2561 ----
+
+ INVALIDATE_EXPORTSTR (var);
+! var->exportstr = mk_env_string (name, value, 0);
+
+ array_needs_making = 1;
+***************
+*** 3390,3408 ****
+
+ static inline char *
+! mk_env_string (name, value)
+ const char *name, *value;
+ {
+! int name_len, value_len;
+! char *p;
+
+ name_len = strlen (name);
+ value_len = STRLEN (value);
+! p = (char *)xmalloc (2 + name_len + value_len);
+! strcpy (p, name);
+! p[name_len] = '=';
+ if (value && *value)
+! strcpy (p + name_len + 1, value);
+ else
+! p[name_len + 1] = '\0';
+ return (p);
+ }
+--- 3409,3448 ----
+
+ static inline char *
+! mk_env_string (name, value, isfunc)
+ const char *name, *value;
++ int isfunc;
+ {
+! size_t name_len, value_len;
+! char *p, *q;
+
+ name_len = strlen (name);
+ value_len = STRLEN (value);
+!
+! /* If we are exporting a shell function, construct the encoded function
+! name. */
+! if (isfunc && value)
+! {
+! p = (char *)xmalloc (BASHFUNC_PREFLEN + name_len + BASHFUNC_SUFFLEN + value_len + 2);
+! q = p;
+! memcpy (q, BASHFUNC_PREFIX, BASHFUNC_PREFLEN);
+! q += BASHFUNC_PREFLEN;
+! memcpy (q, name, name_len);
+! q += name_len;
+! memcpy (q, BASHFUNC_SUFFIX, BASHFUNC_SUFFLEN);
+! q += BASHFUNC_SUFFLEN;
+! }
+! else
+! {
+! p = (char *)xmalloc (2 + name_len + value_len);
+! memcpy (p, name, name_len);
+! q = p + name_len;
+! }
+!
+! q[0] = '=';
+ if (value && *value)
+! memcpy (q + 1, value, value_len + 1);
+ else
+! q[1] = '\0';
+!
+ return (p);
+ }
+***************
+*** 3490,3494 ****
+ using the cached exportstr... */
+ list[list_index] = USE_EXPORTSTR ? savestring (value)
+! : mk_env_string (var->name, value);
+
+ if (USE_EXPORTSTR == 0)
+--- 3530,3534 ----
+ using the cached exportstr... */
+ list[list_index] = USE_EXPORTSTR ? savestring (value)
+! : mk_env_string (var->name, value, function_p (var));
+
+ if (USE_EXPORTSTR == 0)
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
index e6a04cd..a5417f1 100644
--- a/meta/recipes-extended/bash/bash_3.2.48.bb
+++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -14,6 +14,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
file://test-output.patch \
file://cve-2014-6271.patch;striplevel=0 \
file://cve-2014-7169.patch \
+ file://Fix-for-bash-exported-function-namespace-change.patch \
file://run-ptest \
"
diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb
index e3fa39d..7222259 100644
--- a/meta/recipes-extended/bash/bash_4.2.bb
+++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -23,6 +23,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
file://test-output.patch \
file://cve-2014-6271.patch;striplevel=0 \
file://cve-2014-7169.patch \
+ file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \
file://run-ptest \
"
--
1.9.3
^ permalink raw reply related [flat|nested] 5+ messages in thread* [dora][PATCH 2/4] bash: Fix for CVE-2014-7186 and CVE-2014-7187
2014-10-12 20:27 [dora][PATCH 0/4] Backport remaining shellshock fixes to dora branch Paul Eggleton
2014-10-12 20:27 ` [dora][PATCH 1/4] bash: Fix for exported function namespace change Paul Eggleton
@ 2014-10-12 20:27 ` Paul Eggleton
2014-10-12 20:27 ` [dora][PATCH 3/4] bash: Fix for CVE-2014-6277 Paul Eggleton
2014-10-12 20:27 ` [dora][PATCH 4/4] bash: Fix-for-CVE-2014-6278 Paul Eggleton
3 siblings, 0 replies; 5+ messages in thread
From: Paul Eggleton @ 2014-10-12 20:27 UTC (permalink / raw)
To: openembedded-core
From: Catalin Popeanga <Catalin.Popeanga@enea.com>
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
(From OE-Core daisy rev: 153d1125659df9e5c09e35a58bd51be184cb13c1)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
---
.../bash-3.2.48/cve-2014-7186_cve-2014-7187.patch | 99 ++++++++++++
.../bash-4.2/cve-2014-7186_cve-2014-7187.patch | 167 +++++++++++++++++++++
meta/recipes-extended/bash/bash_3.2.48.bb | 1 +
meta/recipes-extended/bash/bash_4.2.bb | 1 +
4 files changed, 268 insertions(+)
create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch
create mode 100644 meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch
new file mode 100644
index 0000000..dcb8ea4
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-7186_cve-2014-7187.patch
@@ -0,0 +1,99 @@
+bash: Fix for CVE-2014-7186 and CVE-2014-7187
+
+Upstream-Status: Backport {GNU Patch-ID: bash32-055}
+
+Downloaded from: http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-055
+
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 3.2
+Patch-ID: bash32-055
+
+Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+There are two local buffer overflows in parse.y that can cause the shell
+to dump core when given many here-documents attached to a single command
+or many nested loops.
+---
+--- a/parse.y 2014-09-27 12:17:16.000000000 -0400
++++ b/parse.y 2014-09-30 19:43:22.000000000 -0400
+@@ -166,4 +166,7 @@
+ static int reserved_word_acceptable __P((int));
+ static int yylex __P((void));
++
++static void push_heredoc __P((REDIRECT *));
++static char *mk_alexpansion __P((char *));
+ static int alias_expand_token __P((char *));
+ static int time_command_acceptable __P((void));
+@@ -254,5 +257,7 @@
+ /* Variables to manage the task of reading here documents, because we need to
+ defer the reading until after a complete command has been collected. */
+-static REDIRECT *redir_stack[10];
++#define HEREDOC_MAX 16
++
++static REDIRECT *redir_stack[HEREDOC_MAX];
+ int need_here_doc;
+
+@@ -280,5 +285,5 @@
+ index is decremented after a case, select, or for command is parsed. */
+ #define MAX_CASE_NEST 128
+-static int word_lineno[MAX_CASE_NEST];
++static int word_lineno[MAX_CASE_NEST+1];
+ static int word_top = -1;
+
+@@ -425,5 +430,5 @@
+ redir.filename = $2;
+ $$ = make_redirection (0, r_reading_until, redir);
+- redir_stack[need_here_doc++] = $$;
++ push_heredoc ($$);
+ }
+ | NUMBER LESS_LESS WORD
+@@ -431,5 +436,5 @@
+ redir.filename = $3;
+ $$ = make_redirection ($1, r_reading_until, redir);
+- redir_stack[need_here_doc++] = $$;
++ push_heredoc ($$);
+ }
+ | LESS_LESS_LESS WORD
+@@ -488,5 +493,5 @@
+ $$ = make_redirection
+ (0, r_deblank_reading_until, redir);
+- redir_stack[need_here_doc++] = $$;
++ push_heredoc ($$);
+ }
+ | NUMBER LESS_LESS_MINUS WORD
+@@ -495,5 +500,5 @@
+ $$ = make_redirection
+ ($1, r_deblank_reading_until, redir);
+- redir_stack[need_here_doc++] = $$;
++ push_heredoc ($$);
+ }
+ | GREATER_AND '-'
+@@ -2214,4 +2219,19 @@
+ static int esacs_needed_count;
+
++static void
++push_heredoc (r)
++ REDIRECT *r;
++{
++ if (need_here_doc >= HEREDOC_MAX)
++ {
++ last_command_exit_value = EX_BADUSAGE;
++ need_here_doc = 0;
++ report_syntax_error (_("maximum here-document count exceeded"));
++ reset_parser ();
++ exit_shell (last_command_exit_value);
++ }
++ redir_stack[need_here_doc++] = r;
++}
++
+ void
+ gather_here_documents ()
diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch
new file mode 100644
index 0000000..b51ce5f
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-7186_cve-2014-7187.patch
@@ -0,0 +1,167 @@
+bash: Fix for CVE-2014-7186 and CVE-2014-7187
+
+Upstream-Status: Backport {GNU Patch-ID: bash42-051}
+
+Downloaded from: http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-051
+
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 4.2
+Patch-ID: bash42-051
+
+Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+There are two local buffer overflows in parse.y that can cause the shell
+to dump core when given many here-documents attached to a single command
+or many nested loops.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.2.50/parse.y 2014-09-27 12:18:53.000000000 -0400
+--- parse.y 2014-09-30 19:24:19.000000000 -0400
+***************
+*** 168,171 ****
+--- 168,174 ----
+ static int reserved_word_acceptable __P((int));
+ static int yylex __P((void));
++
++ static void push_heredoc __P((REDIRECT *));
++ static char *mk_alexpansion __P((char *));
+ static int alias_expand_token __P((char *));
+ static int time_command_acceptable __P((void));
+***************
+*** 265,269 ****
+ /* Variables to manage the task of reading here documents, because we need to
+ defer the reading until after a complete command has been collected. */
+! static REDIRECT *redir_stack[10];
+ int need_here_doc;
+
+--- 268,274 ----
+ /* Variables to manage the task of reading here documents, because we need to
+ defer the reading until after a complete command has been collected. */
+! #define HEREDOC_MAX 16
+!
+! static REDIRECT *redir_stack[HEREDOC_MAX];
+ int need_here_doc;
+
+***************
+*** 307,311 ****
+ index is decremented after a case, select, or for command is parsed. */
+ #define MAX_CASE_NEST 128
+! static int word_lineno[MAX_CASE_NEST];
+ static int word_top = -1;
+
+--- 312,316 ----
+ index is decremented after a case, select, or for command is parsed. */
+ #define MAX_CASE_NEST 128
+! static int word_lineno[MAX_CASE_NEST+1];
+ static int word_top = -1;
+
+***************
+*** 520,524 ****
+ redir.filename = $2;
+ $$ = make_redirection (source, r_reading_until, redir, 0);
+! redir_stack[need_here_doc++] = $$;
+ }
+ | NUMBER LESS_LESS WORD
+--- 525,529 ----
+ redir.filename = $2;
+ $$ = make_redirection (source, r_reading_until, redir, 0);
+! push_heredoc ($$);
+ }
+ | NUMBER LESS_LESS WORD
+***************
+*** 527,531 ****
+ redir.filename = $3;
+ $$ = make_redirection (source, r_reading_until, redir, 0);
+! redir_stack[need_here_doc++] = $$;
+ }
+ | REDIR_WORD LESS_LESS WORD
+--- 532,536 ----
+ redir.filename = $3;
+ $$ = make_redirection (source, r_reading_until, redir, 0);
+! push_heredoc ($$);
+ }
+ | REDIR_WORD LESS_LESS WORD
+***************
+*** 534,538 ****
+ redir.filename = $3;
+ $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
+! redir_stack[need_here_doc++] = $$;
+ }
+ | LESS_LESS_MINUS WORD
+--- 539,543 ----
+ redir.filename = $3;
+ $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
+! push_heredoc ($$);
+ }
+ | LESS_LESS_MINUS WORD
+***************
+*** 541,545 ****
+ redir.filename = $2;
+ $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+! redir_stack[need_here_doc++] = $$;
+ }
+ | NUMBER LESS_LESS_MINUS WORD
+--- 546,550 ----
+ redir.filename = $2;
+ $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+! push_heredoc ($$);
+ }
+ | NUMBER LESS_LESS_MINUS WORD
+***************
+*** 548,552 ****
+ redir.filename = $3;
+ $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+! redir_stack[need_here_doc++] = $$;
+ }
+ | REDIR_WORD LESS_LESS_MINUS WORD
+--- 553,557 ----
+ redir.filename = $3;
+ $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+! push_heredoc ($$);
+ }
+ | REDIR_WORD LESS_LESS_MINUS WORD
+***************
+*** 555,559 ****
+ redir.filename = $3;
+ $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
+! redir_stack[need_here_doc++] = $$;
+ }
+ | LESS_LESS_LESS WORD
+--- 560,564 ----
+ redir.filename = $3;
+ $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
+! push_heredoc ($$);
+ }
+ | LESS_LESS_LESS WORD
+***************
+*** 2534,2537 ****
+--- 2539,2557 ----
+ static int esacs_needed_count;
+
++ static void
++ push_heredoc (r)
++ REDIRECT *r;
++ {
++ if (need_here_doc >= HEREDOC_MAX)
++ {
++ last_command_exit_value = EX_BADUSAGE;
++ need_here_doc = 0;
++ report_syntax_error (_("maximum here-document count exceeded"));
++ reset_parser ();
++ exit_shell (last_command_exit_value);
++ }
++ redir_stack[need_here_doc++] = r;
++ }
++
+ void
+ gather_here_documents ()
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
index a5417f1..2b26ae7 100644
--- a/meta/recipes-extended/bash/bash_3.2.48.bb
+++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -15,6 +15,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
file://cve-2014-6271.patch;striplevel=0 \
file://cve-2014-7169.patch \
file://Fix-for-bash-exported-function-namespace-change.patch \
+ file://cve-2014-7186_cve-2014-7187.patch \
file://run-ptest \
"
diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb
index 7222259..ae63ad3 100644
--- a/meta/recipes-extended/bash/bash_4.2.bb
+++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
file://cve-2014-6271.patch;striplevel=0 \
file://cve-2014-7169.patch \
file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \
+ file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \
file://run-ptest \
"
--
1.9.3
^ permalink raw reply related [flat|nested] 5+ messages in thread* [dora][PATCH 3/4] bash: Fix for CVE-2014-6277
2014-10-12 20:27 [dora][PATCH 0/4] Backport remaining shellshock fixes to dora branch Paul Eggleton
2014-10-12 20:27 ` [dora][PATCH 1/4] bash: Fix for exported function namespace change Paul Eggleton
2014-10-12 20:27 ` [dora][PATCH 2/4] bash: Fix for CVE-2014-7186 and CVE-2014-7187 Paul Eggleton
@ 2014-10-12 20:27 ` Paul Eggleton
2014-10-12 20:27 ` [dora][PATCH 4/4] bash: Fix-for-CVE-2014-6278 Paul Eggleton
3 siblings, 0 replies; 5+ messages in thread
From: Paul Eggleton @ 2014-10-12 20:27 UTC (permalink / raw)
To: openembedded-core
From: Catalin Popeanga <Catalin.Popeanga@enea.com>
Follow up bash42-049 to parse properly function definitions in the
values of environment variables, to not allow remote attackers to
execute arbitrary code or to cause a denial of service.
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
(From OE-Core daisy rev: 85961bcf81650992259cebb0ef1f1c6cdef3fefa)
Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
---
.../bash/bash-3.2.48/cve-2014-6277.patch | 44 ++++++++++++++++++++++
.../bash/bash-4.2/cve-2014-6277.patch | 44 ++++++++++++++++++++++
meta/recipes-extended/bash/bash_3.2.48.bb | 1 +
meta/recipes-extended/bash/bash_4.2.bb | 1 +
4 files changed, 90 insertions(+)
create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch
create mode 100644 meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch
new file mode 100644
index 0000000..ed63916
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277.patch
@@ -0,0 +1,44 @@
+bash: Fix CVE-2014-6277 (shellshock)
+
+Upstream-status: backport
+
+Downloaded from:
+ftp://ftp.gnu.org/pub/bash/bash-3.2-patches/bash32-056
+
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
+
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 3.2
+Patch-ID: bash32-056
+
+Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+When bash is parsing a function definition that contains a here-document
+delimited by end-of-file (or end-of-string), it leaves the closing delimiter
+uninitialized. This can result in an invalid memory access when the parsed
+function is later copied.
+---
+--- a/make_cmd.c 2006-09-12 09:21:22.000000000 -0400
++++ b/make_cmd.c 2014-10-02 11:41:40.000000000 -0400
+@@ -677,4 +677,5 @@
+ temp->redirector = source;
+ temp->redirectee = dest_and_filename;
++ temp->here_doc_eof = 0;
+ temp->instruction = instruction;
+ temp->flags = 0;
+--- a/copy_cmd.c 2003-10-07 11:43:44.000000000 -0400
++++ b/copy_cmd.c 2014-10-02 11:41:40.000000000 -0400
+@@ -117,5 +117,5 @@
+ case r_reading_until:
+ case r_deblank_reading_until:
+- new_redirect->here_doc_eof = savestring (redirect->here_doc_eof);
++ new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0;
+ /*FALLTHROUGH*/
+ case r_reading_string:
diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch
new file mode 100644
index 0000000..83b4002
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6277.patch
@@ -0,0 +1,44 @@
+bash: Fix CVE-2014-6277 (shellshock)
+
+Upstream-status: backport
+
+Downloaded from:
+ftp://ftp.gnu.org/pub/bash/bash-4.3-patches/bash43-029
+
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
+
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 4.3
+Patch-ID: bash43-029
+
+Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+When bash is parsing a function definition that contains a here-document
+delimited by end-of-file (or end-of-string), it leaves the closing delimiter
+uninitialized. This can result in an invalid memory access when the parsed
+function is later copied.
+---
+--- a/make_cmd.c 2011-12-16 08:08:01.000000000 -0500
++++ b/make_cmd.c 2014-10-02 11:24:23.000000000 -0400
+@@ -693,4 +693,5 @@
+ temp->redirector = source;
+ temp->redirectee = dest_and_filename;
++ temp->here_doc_eof = 0;
+ temp->instruction = instruction;
+ temp->flags = 0;
+--- a/copy_cmd.c 2009-09-11 16:28:02.000000000 -0400
++++ b/copy_cmd.c 2014-10-02 11:24:23.000000000 -0400
+@@ -127,5 +127,5 @@
+ case r_reading_until:
+ case r_deblank_reading_until:
+- new_redirect->here_doc_eof = savestring (redirect->here_doc_eof);
++ new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0;
+ /*FALLTHROUGH*/
+ case r_reading_string:
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
index 2b26ae7..4bd97e7 100644
--- a/meta/recipes-extended/bash/bash_3.2.48.bb
+++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
file://cve-2014-7169.patch \
file://Fix-for-bash-exported-function-namespace-change.patch \
file://cve-2014-7186_cve-2014-7187.patch \
+ file://cve-2014-6277.patch \
file://run-ptest \
"
diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb
index ae63ad3..35af812 100644
--- a/meta/recipes-extended/bash/bash_4.2.bb
+++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -25,6 +25,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
file://cve-2014-7169.patch \
file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \
file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \
+ file://cve-2014-6277.patch \
file://run-ptest \
"
--
1.9.3
^ permalink raw reply related [flat|nested] 5+ messages in thread* [dora][PATCH 4/4] bash: Fix-for-CVE-2014-6278
2014-10-12 20:27 [dora][PATCH 0/4] Backport remaining shellshock fixes to dora branch Paul Eggleton
` (2 preceding siblings ...)
2014-10-12 20:27 ` [dora][PATCH 3/4] bash: Fix for CVE-2014-6277 Paul Eggleton
@ 2014-10-12 20:27 ` Paul Eggleton
3 siblings, 0 replies; 5+ messages in thread
From: Paul Eggleton @ 2014-10-12 20:27 UTC (permalink / raw)
To: openembedded-core
From: Catalin Popeanga <Catalin.Popeanga@enea.com>
This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
(From OE-Core daisy rev: de596b5f31e837dcd2ce991245eb5548f12d72ae)
Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
---
.../bash/bash-3.2.48/cve-2014-6278.patch | 99 ++++++++++++++++
.../bash/bash-4.2/cve-2014-6278.patch | 127 +++++++++++++++++++++
meta/recipes-extended/bash/bash_3.2.48.bb | 1 +
meta/recipes-extended/bash/bash_4.2.bb | 1 +
4 files changed, 228 insertions(+)
create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch
create mode 100644 meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch
new file mode 100644
index 0000000..e51ce05
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6278.patch
@@ -0,0 +1,99 @@
+bash: Fix CVE-2014-6278 (shellshock)
+
+Upstream-status: backport
+
+Downloaded from:
+ftp://ftp.gnu.org/pub/bash/bash-3.2-patches/bash32-057
+
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
+
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 3.2
+Patch-ID: bash32-057
+
+Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+A combination of nested command substitutions and function importing from
+the environment can cause bash to execute code appearing in the environment
+variable value following the function definition.
+
+--- a/builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400
++++ b/builtins/evalstring.c 2014-10-04 15:58:35.000000000 -0400
+@@ -44,4 +44,5 @@
+ #include "../redir.h"
+ #include "../trap.h"
++#include "../bashintl.h"
+
+ #if defined (HISTORY)
+@@ -235,10 +236,23 @@
+ struct fd_bitmap *bitmap;
+
+- if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
++ if (flags & SEVAL_FUNCDEF)
+ {
+- internal_warning ("%s: ignoring function definition attempt", from_file);
+- should_jump_to_top_level = 0;
+- last_result = last_command_exit_value = EX_BADUSAGE;
+- break;
++ char *x;
++
++ /* If the command parses to something other than a straight
++ function definition, or if we have not consumed the entire
++ string, or if the parser has transformed the function
++ name (as parsing will if it begins or ends with shell
++ whitespace, for example), reject the attempt */
++ if (command->type != cm_function_def ||
++ ((x = parser_remaining_input ()) && *x) ||
++ (STREQ (from_file, command->value.Function_def->name->word) == 0))
++ {
++ internal_warning (_("%s: ignoring function definition attempt"), from_file);
++ should_jump_to_top_level = 0;
++ last_result = last_command_exit_value = EX_BADUSAGE;
++ reset_parser ();
++ break;
++ }
+ }
+
+@@ -302,5 +316,8 @@
+
+ if (flags & SEVAL_ONECMD)
+- break;
++ {
++ reset_parser ();
++ break;
++ }
+ }
+ }
+--- a/parse.y 2014-09-30 19:43:22.000000000 -0400
++++ b/parse.y 2014-10-04 15:58:35.000000000 -0400
+@@ -2125,4 +2125,14 @@
+ }
+
++char *
++parser_remaining_input ()
++{
++ if (shell_input_line == 0)
++ return 0;
++ if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)
++ return '\0'; /* XXX */
++ return (shell_input_line + shell_input_line_index);
++}
++
+ #ifdef INCLUDE_UNUSED
+ /* Back the input pointer up by one, effectively `ungetting' a character. */
+--- a/shell.h 2008-04-28 22:00:24.000000000 -0400
++++ b/shell.h 2014-10-04 15:58:35.000000000 -0400
+@@ -161,4 +161,6 @@
+
+ /* Let's try declaring these here. */
++extern char *parser_remaining_input __P((void));
++
+ extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));
+ extern void restore_parser_state __P((sh_parser_state_t *));
diff --git a/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch b/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch
new file mode 100644
index 0000000..b25314f
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-4.2/cve-2014-6278.patch
@@ -0,0 +1,127 @@
+bash: Fix CVE-2014-6278 (shellshock)
+
+Upstream-status: backport
+
+Downloaded from:
+http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-053
+
+Author: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 4.2
+Patch-ID: bash42-053
+
+Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+A combination of nested command substitutions and function importing from
+the environment can cause bash to execute code appearing in the environment
+variable value following the function definition.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.2.52/builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400
+--- builtins/evalstring.c 2014-10-04 15:00:26.000000000 -0400
+***************
+*** 262,271 ****
+ struct fd_bitmap *bitmap;
+
+! if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+ {
+! internal_warning ("%s: ignoring function definition attempt", from_file);
+! should_jump_to_top_level = 0;
+! last_result = last_command_exit_value = EX_BADUSAGE;
+! break;
+ }
+
+--- 262,284 ----
+ struct fd_bitmap *bitmap;
+
+! if (flags & SEVAL_FUNCDEF)
+ {
+! char *x;
+!
+! /* If the command parses to something other than a straight
+! function definition, or if we have not consumed the entire
+! string, or if the parser has transformed the function
+! name (as parsing will if it begins or ends with shell
+! whitespace, for example), reject the attempt */
+! if (command->type != cm_function_def ||
+! ((x = parser_remaining_input ()) && *x) ||
+! (STREQ (from_file, command->value.Function_def->name->word) == 0))
+! {
+! internal_warning (_("%s: ignoring function definition attempt"), from_file);
+! should_jump_to_top_level = 0;
+! last_result = last_command_exit_value = EX_BADUSAGE;
+! reset_parser ();
+! break;
+! }
+ }
+
+***************
+*** 332,336 ****
+
+ if (flags & SEVAL_ONECMD)
+! break;
+ }
+ }
+--- 345,352 ----
+
+ if (flags & SEVAL_ONECMD)
+! {
+! reset_parser ();
+! break;
+! }
+ }
+ }
+*** ../bash-4.2.52/parse.y 2014-09-30 19:24:19.000000000 -0400
+--- parse.y 2014-10-04 15:00:26.000000000 -0400
+***************
+*** 2436,2439 ****
+--- 2436,2449 ----
+ }
+
++ char *
++ parser_remaining_input ()
++ {
++ if (shell_input_line == 0)
++ return 0;
++ if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)
++ return '\0'; /* XXX */
++ return (shell_input_line + shell_input_line_index);
++ }
++
+ #ifdef INCLUDE_UNUSED
+ /* Back the input pointer up by one, effectively `ungetting' a character. */
+***************
+*** 3891,3896 ****
+ /* reset_parser clears shell_input_line and associated variables */
+ restore_input_line_state (&ls);
+! if (interactive)
+! token_to_read = 0;
+
+ /* Need to find how many characters parse_and_execute consumed, update
+--- 3901,3906 ----
+ /* reset_parser clears shell_input_line and associated variables */
+ restore_input_line_state (&ls);
+!
+! token_to_read = 0;
+
+ /* Need to find how many characters parse_and_execute consumed, update
+*** ../bash-4.2.52/shell.h 2011-11-21 18:03:32.000000000 -0500
+--- shell.h 2014-10-04 15:00:26.000000000 -0400
+***************
+*** 178,181 ****
+--- 178,183 ----
+
+ /* Let's try declaring these here. */
++ extern char *parser_remaining_input __P((void));
++
+ extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));
+ extern void restore_parser_state __P((sh_parser_state_t *));
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
index 4bd97e7..d642abd 100644
--- a/meta/recipes-extended/bash/bash_3.2.48.bb
+++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -17,6 +17,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
file://Fix-for-bash-exported-function-namespace-change.patch \
file://cve-2014-7186_cve-2014-7187.patch \
file://cve-2014-6277.patch \
+ file://cve-2014-6278.patch \
file://run-ptest \
"
diff --git a/meta/recipes-extended/bash/bash_4.2.bb b/meta/recipes-extended/bash/bash_4.2.bb
index 35af812..e2d391d 100644
--- a/meta/recipes-extended/bash/bash_4.2.bb
+++ b/meta/recipes-extended/bash/bash_4.2.bb
@@ -26,6 +26,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
file://Fix-for-bash-exported-function-namespace-change.patch;striplevel=0 \
file://cve-2014-7186_cve-2014-7187.patch;striplevel=0 \
file://cve-2014-6277.patch \
+ file://cve-2014-6278.patch;striplevel=0 \
file://run-ptest \
"
--
1.9.3
^ permalink raw reply related [flat|nested] 5+ messages in thread