Hello community, here is the log from the commit of package bash for openSUSE:Factory checked in at 2014-09-29 12:40:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bash (Old) and /work/SRC/openSUSE:Factory/.bash.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "bash" Changes: -------- --- /work/SRC/openSUSE:Factory/bash/bash.changes 2014-09-28 19:53:55.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.bash.new/bash.changes 2014-09-29 12:40:46.000000000 +0200 @@ -1,0 +2,11 @@ +Fri Sep 26 11:07:24 UTC 2014 - werner@suse.de + +- Add patches + bash-4.2-BSC898604.patch for bsc#898604: functions via environment + hardening + bash-4.2-CVE-2014-7169.patch for bsc#898346, CVE-2014-7169: + incremental parsing fix for function environment issue + bash-4.2-CVE-2014-7187.patch for bsc#898603, CVE-2014-7186, + CVE-2014-7187: bad handling of HERE documents and for loop issue + +------------------------------------------------------------------- New: ---- bash-4.2-BSC898604.patch bash-4.2-CVE-2014-7169.patch bash-4.2-CVE-2014-7187.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bash.spec ++++++ --- /var/tmp/diff_new_pack.2HePQg/_old 2014-09-29 12:40:48.000000000 +0200 +++ /var/tmp/diff_new_pack.2HePQg/_new 2014-09-29 12:40:48.000000000 +0200 @@ -101,6 +101,9 @@ Patch47: config-guess-sub-update.patch # PATCH-FIX-UPSTREAM bnc#895475 -- bnc#896776, CVE-2014-6271: unexpected code execution with environment variables Patch48: bash-4.2-CVE-2014-6271.patch +Patch49: bash-4.2-BSC898604.patch +Patch50: bash-4.2-CVE-2014-7169.patch +Patch51: bash-4.2-CVE-2014-7187.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %global _sysconfdir /etc %global _incdir %{_includedir} @@ -323,6 +326,9 @@ %patch46 -p0 -b .notimestamp %patch47 %patch48 -p2 +%patch49 -p0 +%patch50 -p0 +%patch51 -p0 %patch0 -p0 -b .0 pushd ../readline-%{rl_vers}%{extend} for patch in ../readline-%{rl_vers}-patches/*; do ++++++ bash-4.2-BSC898604.patch ++++++ --- ../bash-4.2-orig/variables.c 2014-09-25 13:07:59.313209541 +0200 +++ variables.c 2014-09-25 13:15:29.869420719 +0200 @@ -268,7 +268,7 @@ static void propagate_temp_var __P((PTR_T)); static void dispose_temporary_env __P((sh_free_func_t *)); -static inline char *mk_env_string __P((const char *, const char *)); +static inline char *mk_env_string __P((const char *, const char *, int)); static char **make_env_array_from_var_list __P((SHELL_VAR **)); static char **make_var_export_array __P((VAR_CONTEXT *)); static char **make_func_export_array __P((void)); @@ -301,6 +301,14 @@ #endif } +/* Prefix and suffix for environment variable names which contain + shell functions. */ +#define FUNCDEF_PREFIX "BASH_FUNC_" +#define FUNCDEF_PREFIX_LEN (strlen (FUNCDEF_PREFIX)) +#define FUNCDEF_SUFFIX "()" +#define FUNCDEF_SUFFIX_LEN (strlen (FUNCDEF_SUFFIX)) + + /* Initialize the shell variables from the current environment. If PRIVMODE is nonzero, don't import functions from ENV or parse $SHELLOPTS. */ @@ -338,27 +346,39 @@ /* If exported function, define it now. Don't import functions from the environment in privileged mode. */ - if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4)) - { - string_length = strlen (string); - temp_string = (char *)xmalloc (3 + string_length + char_index); + if (privmode == 0 && read_but_dont_execute == 0 + && STREQN (FUNCDEF_PREFIX, name, FUNCDEF_PREFIX_LEN) + && STREQ (name + char_index - FUNCDEF_SUFFIX_LEN, FUNCDEF_SUFFIX) + && STREQN ("() {", string, 4)) + { + size_t name_length + = char_index - (FUNCDEF_PREFIX_LEN + FUNCDEF_SUFFIX_LEN); + char *temp_name = name + FUNCDEF_PREFIX_LEN; + /* Temporarily remove the suffix. */ + temp_name[name_length] = '\0'; - strcpy (temp_string, name); - temp_string[char_index] = ' '; - strcpy (temp_string + char_index + 1, string); + string_length = strlen (string); + temp_string = (char *)xmalloc (name_length + 1 + string_length + 1); + memcpy (temp_string, temp_name, name_length); + temp_string[name_length] = ' '; + memcpy (temp_string + name_length + 1, string, string_length + 1); /* Don't import function names that are invalid identifiers from the environment. */ - if (legal_identifier (name)) - parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + if (legal_identifier (temp_name)) + parse_and_execute (temp_string, temp_name, + SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); - if (temp_var = find_function (name)) + if (temp_var = find_function (temp_name)) { VSETATTR (temp_var, (att_exported|att_imported)); array_needs_making = 1; } else report_error (_("error importing function definition for `%s'"), name); + + /* Restore the original suffix. */ + temp_name[name_length] = FUNCDEF_SUFFIX[0]; } #if defined (ARRAY_VARS) # if 0 @@ -2537,7 +2557,7 @@ var->context = variable_context; /* XXX */ INVALIDATE_EXPORTSTR (var); - var->exportstr = mk_env_string (name, value); + var->exportstr = mk_env_string (name, value, 0); array_needs_making = 1; @@ -3388,22 +3408,43 @@ /* */ /* **************************************************************** */ +/* Returns the string NAME=VALUE if !FUNCTIONP or if VALUE == NULL (in + which case it is treated as empty). Otherwise, decorate NAME with + FUNCDEF_PREFIX and FUNCDEF_SUFFIX, and return a string of the form + FUNCDEF_PREFIX NAME FUNCDEF_SUFFIX = VALUE (without spaces). */ static inline char * -mk_env_string (name, value) +mk_env_string (name, value, functionp) const char *name, *value; + int functionp; { - int name_len, value_len; - char *p; + size_t name_len, value_len; + char *p, *q; name_len = strlen (name); value_len = STRLEN (value); - p = (char *)xmalloc (2 + name_len + value_len); - strcpy (p, name); - p[name_len] = '='; + if (functionp && value != NULL) + { + p = (char *)xmalloc (FUNCDEF_PREFIX_LEN + name_len + FUNCDEF_SUFFIX_LEN + + 1 + value_len + 1); + q = p; + memcpy (q, FUNCDEF_PREFIX, FUNCDEF_PREFIX_LEN); + q += FUNCDEF_PREFIX_LEN; + memcpy (q, name, name_len); + q += name_len; + memcpy (q, FUNCDEF_SUFFIX, FUNCDEF_SUFFIX_LEN); + q += FUNCDEF_SUFFIX_LEN; + } + else + { + p = (char *)xmalloc (name_len + 1 + value_len + 1); + memcpy (p, name, name_len); + q = p + name_len; + } + q[0] = '='; if (value && *value) - strcpy (p + name_len + 1, value); + memcpy (q + 1, value, value_len + 1); else - p[name_len + 1] = '\0'; + q[1] = '\0'; return (p); } @@ -3489,7 +3530,7 @@ /* Gee, I'd like to get away with not using savestring() if we're using the cached exportstr... */ list[list_index] = USE_EXPORTSTR ? savestring (value) - : mk_env_string (var->name, value); + : mk_env_string (var->name, value, function_p (var)); if (USE_EXPORTSTR == 0) SAVE_EXPORTSTR (var, list[list_index]); ++++++ bash-4.2-CVE-2014-6271.patch ++++++ --- /var/tmp/diff_new_pack.2HePQg/_old 2014-09-29 12:40:48.000000000 +0200 +++ /var/tmp/diff_new_pack.2HePQg/_new 2014-09-29 12:40:48.000000000 +0200 @@ -1,67 +1,72 @@ -diff -ur a/bash/builtins/common.h b/bash/builtins/common.h ---- a/bash/builtins/common.h 2010-05-31 00:31:51.000000000 +0200 -+++ b/bash/builtins/common.h 2014-09-16 21:36:20.139826595 +0200 -@@ -33,6 +33,8 @@ - #define SEVAL_RESETLINE 0x010 - #define SEVAL_PARSEONLY 0x020 - #define SEVAL_NOLONGJMP 0x040 -+#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ -+#define SEVAL_ONECMD 0x100 /* only allow a single command */ - - /* Flags for describe_command, shared between type.def and command.def */ - #define CDESC_ALL 0x001 /* type -a */ -diff -ur a/bash/builtins/evalstring.c b/bash/builtins/evalstring.c ---- a/bash/builtins/evalstring.c 2010-11-23 14:22:15.000000000 +0100 -+++ b/bash/builtins/evalstring.c 2014-09-16 21:36:20.139826595 +0200 -@@ -261,6 +261,14 @@ - { - struct fd_bitmap *bitmap; - -+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) -+ { -+ internal_warning ("%s: ignoring function definition attempt", from_file); -+ should_jump_to_top_level = 0; -+ last_result = last_command_exit_value = EX_BADUSAGE; -+ break; -+ } -+ - bitmap = new_fd_bitmap (FD_BITMAP_SIZE); - begin_unwind_frame ("pe_dispose"); - add_unwind_protect (dispose_fd_bitmap, bitmap); -@@ -321,6 +329,9 @@ - dispose_command (command); - dispose_fd_bitmap (bitmap); - discard_unwind_frame ("pe_dispose"); -+ -+ if (flags & SEVAL_ONECMD) -+ break; - } - } - else -diff -ur a/bash/variables.c b/bash/variables.c ---- a/bash/variables.c 2014-09-16 21:35:34.878850652 +0200 -+++ b/bash/variables.c 2014-09-16 21:37:16.221034763 +0200 -@@ -347,7 +347,11 @@ - temp_string[char_index] = ' '; - strcpy (temp_string + char_index + 1, string); - -- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); -+ /* Don't import function names that are invalid identifiers from the -+ environment, though we still allow them to be defined as shell -+ variables. */ -+ if (legal_identifier (name)) -+ parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); - - /* Ancient backwards compatibility. Old versions of bash exported - functions like name()=() {...} */ -@@ -361,10 +365,6 @@ - } - else - report_error (_("error importing function definition for `%s'"), name); -- -- /* ( */ -- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') -- name[char_index - 2] = '('; /* ) */ - } - #if defined (ARRAY_VARS) - # if 0 +*** ../bash-4.2.47/builtins/common.h 2010-05-30 18:31:51.000000000 -0400 +--- builtins/common.h 2014-09-16 19:35:45.000000000 -0400 +*************** +*** 36,39 **** +--- 36,41 ---- + + /* Flags for describe_command, shared between type.def and command.def */ ++ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ ++ #define SEVAL_ONECMD 0x100 /* only allow a single command */ + #define CDESC_ALL 0x001 /* type -a */ + #define CDESC_SHORTDESC 0x002 /* command -V */ +*** ../bash-4.2.47/builtins/evalstring.c 2010-11-23 08:22:15.000000000 -0500 +--- builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400 +*************** +*** 262,265 **** +--- 262,273 ---- + struct fd_bitmap *bitmap; + ++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) ++ { ++ internal_warning ("%s: ignoring function definition attempt", from_file); ++ should_jump_to_top_level = 0; ++ last_result = last_command_exit_value = EX_BADUSAGE; ++ break; ++ } ++ + bitmap = new_fd_bitmap (FD_BITMAP_SIZE); + begin_unwind_frame ("pe_dispose"); +*************** +*** 322,325 **** +--- 330,336 ---- + dispose_fd_bitmap (bitmap); + discard_unwind_frame ("pe_dispose"); ++ ++ if (flags & SEVAL_ONECMD) ++ break; + } + } +*** ../bash-4.2.47/variables.c 2011-03-01 16:15:20.000000000 -0500 +--- variables.c 2014-09-16 19:35:45.000000000 -0400 +*************** +*** 348,357 **** + strcpy (temp_string + char_index + 1, string); + +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); +! +! /* Ancient backwards compatibility. Old versions of bash exported +! functions like name()=() {...} */ +! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') +! name[char_index - 2] = '\0'; + + if (temp_var = find_function (name)) +--- 348,355 ---- + strcpy (temp_string + char_index + 1, string); + +! /* Don't import function names that are invalid identifiers from the +! environment. */ +! if (legal_identifier (name)) +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + + if (temp_var = find_function (name)) +*************** +*** 362,369 **** + else + report_error (_("error importing function definition for `%s'"), name); +- +- /* ( */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') +- name[char_index - 2] = '('; /* ) */ + } + #if defined (ARRAY_VARS) +--- 360,363 ---- ++++++ bash-4.2-CVE-2014-7169.patch ++++++ *** ../bash-20140912/parse.y 2014-08-26 15:09:42.000000000 -0400 --- parse.y 2014-09-24 22:47:28.000000000 -0400 *************** *** 2959,2962 **** --- 2959,2964 ---- word_desc_to_read = (WORD_DESC *)NULL; + eol_ungetc_lookahead = 0; + current_token = '\n'; /* XXX */ last_read_token = '\n'; ++++++ bash-4.2-CVE-2014-7187.patch ++++++ --- ../bash-4.2-orig/parse.y 2014-09-25 13:07:59.218209276 +0200 +++ parse.y 2014-09-25 15:26:52.813159810 +0200 @@ -264,9 +264,21 @@ /* Variables to manage the task of reading here documents, because we need to defer the reading until after a complete command has been collected. */ -static REDIRECT *redir_stack[10]; +static REDIRECT **redir_stack; int need_here_doc; +/* Pushes REDIR onto redir_stack, resizing it as needed. */ +static void +push_redir_stack (REDIRECT *redir) +{ + /* Guard against oveflow. */ + if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack)) + abort (); + redir_stack = xrealloc (redir_stack, + (need_here_doc + 1) * sizeof (*redir_stack)); + redir_stack[need_here_doc++] = redir; +} + /* Where shell input comes from. History expansion is performed on each line when the shell is interactive. */ static char *shell_input_line = (char *)NULL; @@ -519,42 +531,42 @@ source.dest = 0; redir.filename = $2; $$ = make_redirection (source, r_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | NUMBER LESS_LESS WORD { source.dest = $1; redir.filename = $3; $$ = make_redirection (source, r_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | REDIR_WORD LESS_LESS WORD { source.filename = $1; redir.filename = $3; $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | LESS_LESS_MINUS WORD { source.dest = 0; redir.filename = $2; $$ = make_redirection (source, r_deblank_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | NUMBER LESS_LESS_MINUS WORD { source.dest = $1; redir.filename = $3; $$ = make_redirection (source, r_deblank_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | REDIR_WORD LESS_LESS_MINUS WORD { source.filename = $1; redir.filename = $3; $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | LESS_LESS_LESS WORD { @@ -4757,7 +4769,7 @@ case CASE: case SELECT: case FOR: - if (word_top < MAX_CASE_NEST) + if (word_top + 1 < MAX_CASE_NEST) word_top++; word_lineno[word_top] = line_number; break; -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org