[gnome-continuous-yocto/gnomeostree-3.28-rocko: 4632/8267] bash: fix CVE-2016-9401

[Emmanuele Bassi <ebassi src gnome org>]

commit 1b2857a781b6666feaf5d3c91dc02ac263d0c4f6
Author: Li Zhou <li zhou windriver com>
Date:   Mon Feb 13 10:53:24 2017 +0800

    bash: fix CVE-2016-9401
    
    popd in bash might allow local users to bypass the restricted shell
    and cause a use-after-free via a crafted address.
    
    Porting patch from <https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/
    bash44-006> to solve CVE-2016-9401.
    
    (From OE-Core rev: 6987b317d5ce8dc50a37ebba395aa8424bec358c)
    
    Signed-off-by: Li Zhou <li zhou windriver com>
    Signed-off-by: Ross Burton <ross burton intel com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 .../recipes-extended/bash/bash/CVE-2016-9401.patch |   50 ++++++++++++++++++++
 meta/recipes-extended/bash/bash_4.3.30.bb          |    1 +
 2 files changed, 51 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-extended/bash/bash/CVE-2016-9401.patch 
b/meta/recipes-extended/bash/bash/CVE-2016-9401.patch
new file mode 100644
index 0000000..28c9277
--- /dev/null
+++ b/meta/recipes-extended/bash/bash/CVE-2016-9401.patch
@@ -0,0 +1,50 @@
+From fa741771ed47b30547be63b5b5dbfb51977aca12 Mon Sep 17 00:00:00 2001
+From: Chet Ramey <chet ramey case edu>
+Date: Fri, 20 Jan 2017 11:47:31 -0500
+Subject: [PATCH] Bash-4.4 patch 6
+
+Bug-Reference-URL:
+https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00116.html
+
+Reference to upstream patch:
+https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/bash44-006
+
+Bug-Description:
+Out-of-range negative offsets to popd can cause the shell to crash attempting
+to free an invalid memory block.
+
+Upstream-Status: Backport
+CVE: CVE-2016-9401
+Signed-off-by: Li Zhou <li zhou windriver com>
+---
+ builtins/pushd.def | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/builtins/pushd.def b/builtins/pushd.def
+index 9c6548f..8a13bae 100644
+--- a/builtins/pushd.def
++++ b/builtins/pushd.def
+@@ -359,7 +359,7 @@ popd_builtin (list)
+       break;
+     }
+ 
+-  if (which > directory_list_offset || (directory_list_offset == 0 && which == 0))
++  if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && 
which == 0))
+     {
+       pushd_error (directory_list_offset, which_word ? which_word : "");
+       return (EXECUTION_FAILURE);
+@@ -381,6 +381,11 @@ popd_builtin (list)
+        remove that directory from the list and shift the remainder
+        of the list into place. */
+       i = (direction == '+') ? directory_list_offset - which : which;
++      if (i < 0 || i > directory_list_offset)
++      {
++        pushd_error (directory_list_offset, which_word ? which_word : "");
++        return (EXECUTION_FAILURE);
++      }
+       free (pushd_directory_list[i]);
+       directory_list_offset--;
+ 
+-- 
+1.9.1
+
diff --git a/meta/recipes-extended/bash/bash_4.3.30.bb b/meta/recipes-extended/bash/bash_4.3.30.bb
index 765562f..e398e87 100644
--- a/meta/recipes-extended/bash/bash_4.3.30.bb
+++ b/meta/recipes-extended/bash/bash_4.3.30.bb
@@ -30,6 +30,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
            file://fix-run-builtins.patch \
            file://0001-help-fix-printf-format-security-warning.patch \
            file://fix-run-intl.patch \
+           file://CVE-2016-9401.patch \
            "
 
 SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447"