From 6cda6f906eafb269ea7362343b8af609b3d9ce41 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 24 Sep 2014 18:48:35 +0200 Subject: [PATCH] bash: Fix for CVE-2014-6271 A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. --- lfs/bash | 2 + src/patches/bash-3.2-CVE-2014-6271.patch | 72 ++++++++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 src/patches/bash-3.2-CVE-2014-6271.patch diff --git a/lfs/bash b/lfs/bash index c89ff545a9..47a6c45954 100644 --- a/lfs/bash +++ b/lfs/bash @@ -96,6 +96,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-4.0-paths-1.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-4.0-profile-1.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-3.2-ssh_source_bash.patch + cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/bash-3.2-CVE-2014-6271.patch + cd $(DIR_APP) && ./configure $(EXTRA_CONFIG) cd $(DIR_APP) && make $(EXTRA_MAKE) cd $(DIR_APP) && make $(EXTRA_INSTALL) install diff --git a/src/patches/bash-3.2-CVE-2014-6271.patch b/src/patches/bash-3.2-CVE-2014-6271.patch new file mode 100644 index 0000000000..396491603e --- /dev/null +++ b/src/patches/bash-3.2-CVE-2014-6271.patch @@ -0,0 +1,72 @@ +*** ../bash-3.2.51/builtins/common.h 2006-03-06 09:38:44.000000000 -0500 +--- builtins/common.h 2014-09-16 19:08:02.000000000 -0400 +*************** +*** 34,37 **** +--- 34,39 ---- + + /* Flags for describe_command, shared between type.def and command.def */ ++ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ ++ #define SEVAL_ONECMD 0x100 /* only allow a single command */ + #define CDESC_ALL 0x001 /* type -a */ + #define CDESC_SHORTDESC 0x002 /* command -V */ +*** ../bash-3.2.51/builtins/evalstring.c 2008-11-15 17:47:04.000000000 -0500 +--- builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400 +*************** +*** 235,238 **** +--- 235,246 ---- + struct fd_bitmap *bitmap; + ++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) ++ { ++ internal_warning ("%s: ignoring function definition attempt", from_file); ++ should_jump_to_top_level = 0; ++ last_result = last_command_exit_value = EX_BADUSAGE; ++ break; ++ } ++ + bitmap = new_fd_bitmap (FD_BITMAP_SIZE); + begin_unwind_frame ("pe_dispose"); +*************** +*** 292,295 **** +--- 300,306 ---- + dispose_fd_bitmap (bitmap); + discard_unwind_frame ("pe_dispose"); ++ ++ if (flags & SEVAL_ONECMD) ++ break; + } + } +*** ../bash-3.2.51/variables.c 2008-11-15 17:15:06.000000000 -0500 +--- variables.c 2014-09-16 19:10:39.000000000 -0400 +*************** +*** 319,328 **** + strcpy (temp_string + char_index + 1, string); + +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); +! +! /* Ancient backwards compatibility. Old versions of bash exported +! functions like name()=() {...} */ +! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') +! name[char_index - 2] = '\0'; + + if (temp_var = find_function (name)) +--- 319,326 ---- + strcpy (temp_string + char_index + 1, string); + +! /* Don't import function names that are invalid identifiers from the +! environment. */ +! if (legal_identifier (name)) +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + + if (temp_var = find_function (name)) +*************** +*** 333,340 **** + else + report_error (_("error importing function definition for `%s'"), name); +- +- /* ( */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') +- name[char_index - 2] = '('; /* ) */ + } + #if defined (ARRAY_VARS) +--- 331,334 ---- -- 2.39.5