[gnome-continuous-yocto/gnomeostree-3.22-krogoth: 126/246] bash: Security fix CVE-2016-0634



commit 57531002b8be23ba24ecd53076cd337efa9accbb
Author: Sona Sarmadi <sona sarmadi enea com>
Date:   Mon Oct 10 13:54:35 2016 +0200

    bash: Security fix CVE-2016-0634
    
    References to upstream patch:
    https://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-047
    http://openwall.com/lists/oss-security/2016/09/16/8
    
    (From OE-Core rev: 24455c63494b7030b8a337f0dad98687d15d9ce6)
    
    Signed-off-by: Sona Sarmadi <sona sarmadi enea com>
    Signed-off-by: Armin Kuster <akuster808 gmail com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 .../recipes-extended/bash/bash/CVE-2016-0634.patch |  136 ++++++++++++++++++++
 meta/recipes-extended/bash/bash_4.3.30.bb          |    1 +
 2 files changed, 137 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-extended/bash/bash/CVE-2016-0634.patch 
b/meta/recipes-extended/bash/bash/CVE-2016-0634.patch
new file mode 100644
index 0000000..71c033e
--- /dev/null
+++ b/meta/recipes-extended/bash/bash/CVE-2016-0634.patch
@@ -0,0 +1,136 @@
+Bash-Release:  4.3
+Patch-ID:      bash43-047
+
+Bug-Reported-by:       Bernd Dietzel
+Bug-Reference-ID:
+Bug-Reference-URL:     https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025
+
+Bug-Description:
+
+Bash performs word expansions on the prompt strings after the special
+escape sequences are expanded.  If a malicious user can modify the system
+hostname or change the name of the bash executable and coerce a user into
+executing it, and the new name contains word expansions (including
+command substitution), bash will expand them in prompt strings containing
+the \h or \H and \s escape sequences, respectively.
+
+Patch (apply with `patch -p0')
+
+CVE:  CVE-2016-0634
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona sarmadi enea com>
+
+*** ../bash-4.3-patched/parse.y        2015-08-13 15:11:54.000000000 -0400
+--- parse.y    2016-03-07 15:44:14.000000000 -0500
+***************
+*** 5259,5263 ****
+    int result_size, result_index;
+    int c, n, i;
+!   char *temp, octal_string[4];
+    struct tm *tm;  
+    time_t the_time;
+--- 5259,5263 ----
+    int result_size, result_index;
+    int c, n, i;
+!   char *temp, *t_host, octal_string[4];
+    struct tm *tm;  
+    time_t the_time;
+***************
+*** 5407,5411 ****
+           case 's':
+             temp = base_pathname (shell_name);
+!            temp = savestring (temp);
+             goto add_string;
+  
+--- 5407,5415 ----
+           case 's':
+             temp = base_pathname (shell_name);
+!            /* Try to quote anything the user can set in the file system */
+!            if (promptvars || posixly_correct)
+!              temp = sh_backslash_quote_for_double_quotes (temp);
+!            else
+!              temp = savestring (temp);
+             goto add_string;
+  
+***************
+*** 5497,5503 ****
+           case 'h':
+           case 'H':
+!            temp = savestring (current_host_name);
+!            if (c == 'h' && (t = (char *)strchr (temp, '.')))
+               *t = '\0';
+             goto add_string;
+  
+--- 5501,5515 ----
+           case 'h':
+           case 'H':
+!            t_host = savestring (current_host_name);
+!            if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+               *t = '\0';
++            if (promptvars || posixly_correct)
++              /* Make sure that expand_prompt_string is called with a
++                 second argument of Q_DOUBLE_QUOTES if we use this
++                 function here. */
++              temp = sh_backslash_quote_for_double_quotes (t_host);
++            else
++              temp = savestring (t_host);
++            free (t_host);
+             goto add_string;
+  
+*** ../bash-4.3-patched/y.tab.c        2015-08-13 15:11:54.000000000 -0400
+--- y.tab.c    2016-03-07 15:44:14.000000000 -0500
+***************
+*** 7571,7575 ****
+    int result_size, result_index;
+    int c, n, i;
+!   char *temp, octal_string[4];
+    struct tm *tm;  
+    time_t the_time;
+--- 7571,7575 ----
+    int result_size, result_index;
+    int c, n, i;
+!   char *temp, *t_host, octal_string[4];
+    struct tm *tm;  
+    time_t the_time;
+***************
+*** 7719,7723 ****
+           case 's':
+             temp = base_pathname (shell_name);
+!            temp = savestring (temp);
+             goto add_string;
+  
+--- 7719,7727 ----
+           case 's':
+             temp = base_pathname (shell_name);
+!            /* Try to quote anything the user can set in the file system */
+!            if (promptvars || posixly_correct)
+!              temp = sh_backslash_quote_for_double_quotes (temp);
+!            else
+!              temp = savestring (temp);
+             goto add_string;
+  
+***************
+*** 7809,7815 ****
+           case 'h':
+           case 'H':
+!            temp = savestring (current_host_name);
+!            if (c == 'h' && (t = (char *)strchr (temp, '.')))
+               *t = '\0';
+             goto add_string;
+  
+--- 7813,7827 ----
+           case 'h':
+           case 'H':
+!            t_host = savestring (current_host_name);
+!            if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+               *t = '\0';
++            if (promptvars || posixly_correct)
++              /* Make sure that expand_prompt_string is called with a
++                 second argument of Q_DOUBLE_QUOTES if we use this
++                 function here. */
++              temp = sh_backslash_quote_for_double_quotes (t_host);
++            else
++              temp = savestring (t_host);
++            free (t_host);
+             goto add_string;
+
diff --git a/meta/recipes-extended/bash/bash_4.3.30.bb b/meta/recipes-extended/bash/bash_4.3.30.bb
index 95ed392..fcd6caf 100644
--- a/meta/recipes-extended/bash/bash_4.3.30.bb
+++ b/meta/recipes-extended/bash/bash_4.3.30.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
            file://fix-run-coproc-run-heredoc-run-execscript-run-test-f.patch \
            file://run-ptest \
           file://fix-run-builtins.patch \
+           file://CVE-2016-0634.patch;striplevel=0 \
            "
 
 SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447"


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]