bash: Fix for CVE-2014-6271

[people/teissler/ipfire-2.x.git] / src / patches / bash-3.2-CVE-2014-6271.patch
diff --git a/src/patches/bash-3.2-CVE-2014-6271.patch b/src/patches/bash-3.2-CVE-2014-6271.patch

new file mode 100644 (file)

index 0000000..3964916
--- /dev/null
+++ b/src/patches/bash-3.2-CVE-2014-6271.patch
@@ -0,0 +1,72 @@
+*** ../bash-3.2.51/builtins/common.h   2006-03-06 09:38:44.000000000 -0500
+--- builtins/common.h  2014-09-16 19:08:02.000000000 -0400
+***************
+*** 34,37 ****
+--- 34,39 ----
+  
+  /* Flags for describe_command, shared between type.def and command.def */
++ #define SEVAL_FUNCDEF        0x080           /* only allow function definitions */
++ #define SEVAL_ONECMD 0x100           /* only allow a single command */
+  #define CDESC_ALL            0x001   /* type -a */
+  #define CDESC_SHORTDESC              0x002   /* command -V */
+*** ../bash-3.2.51/builtins/evalstring.c       2008-11-15 17:47:04.000000000 -0500
+--- builtins/evalstring.c      2014-09-16 19:08:02.000000000 -0400
+***************
+*** 235,238 ****
+--- 235,246 ----
+             struct fd_bitmap *bitmap;
+  
++            if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
++              {
++                internal_warning ("%s: ignoring function definition attempt", from_file);
++                should_jump_to_top_level = 0;
++                last_result = last_command_exit_value = EX_BADUSAGE;
++                break;
++              }
++ 
+             bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+             begin_unwind_frame ("pe_dispose");
+***************
+*** 292,295 ****
+--- 300,306 ----
+             dispose_fd_bitmap (bitmap);
+             discard_unwind_frame ("pe_dispose");
++ 
++            if (flags & SEVAL_ONECMD)
++              break;
+           }
+       }
+*** ../bash-3.2.51/variables.c 2008-11-15 17:15:06.000000000 -0500
+--- variables.c        2014-09-16 19:10:39.000000000 -0400
+***************
+*** 319,328 ****
+         strcpy (temp_string + char_index + 1, string);
+  
+!        parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+! 
+!        /* Ancient backwards compatibility.  Old versions of bash exported
+!           functions like name()=() {...} */
+!        if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+!          name[char_index - 2] = '\0';
+  
+         if (temp_var = find_function (name))
+--- 319,326 ----
+         strcpy (temp_string + char_index + 1, string);
+  
+!        /* Don't import function names that are invalid identifiers from the
+!           environment. */
+!        if (legal_identifier (name))
+!          parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+  
+         if (temp_var = find_function (name))
+***************
+*** 333,340 ****
+         else
+           report_error (_("error importing function definition for `%s'"), name);
+- 
+-        /* ( */
+-        if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+-          name[char_index - 2] = '(';         /* ) */
+       }
+  #if defined (ARRAY_VARS)
+--- 331,334 ----