bash: Fix for CVE-2014-6271

A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override
or bypass environment restrictions to execute shell commands.
Certain services and applications allow remote unauthenticated
attackers to provide environment variables, allowing them to exploit
this issue.

diff --git a/lfs/bash b/lfs/bash
index 862c94432e56282c592dc3ba6b4ce42c8bc2af92..e09f91ceb5b7315a984274fe6295e1375084bd51 100644 (file)
--- a/lfs/bash
+++ b/lfs/bash
@@ -94,6 +94,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-4.0-paths-1.patch
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-4.0-profile-1.patch
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-3.2-ssh_source_bash.patch
+       cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/bash-4.3-CVE-2014-6271.patch
 
        cd $(DIR_APP) && ./configure $(CONFIGURE_OPTIONS)
        cd $(DIR_APP) && make $(MAKETUNING)

diff --git a/src/patches/bash-4.3-CVE-2014-6271.patch b/src/patches/bash-4.3-CVE-2014-6271.patch
new file mode 100644 (file)
index 0000000..7859d40
--- /dev/null
+++ b/src/patches/bash-4.3-CVE-2014-6271.patch
@@ -0,0 +1,91 @@
+*** ../bash-4.3-patched/builtins/common.h      2013-07-08 16:54:47.000000000 -0400
+--- builtins/common.h  2014-09-12 14:25:47.000000000 -0400
+***************
+*** 34,37 ****
+--- 49,54 ----
+  #define SEVAL_PARSEONLY      0x020
+  #define SEVAL_NOLONGJMP 0x040
++ #define SEVAL_FUNCDEF        0x080           /* only allow function definitions */
++ #define SEVAL_ONECMD 0x100           /* only allow a single command */
+  
+  /* Flags for describe_command, shared between type.def and command.def */
+*** ../bash-4.3-patched/builtins/evalstring.c  2014-02-11 09:42:10.000000000 -0500
+--- builtins/evalstring.c      2014-09-14 14:15:13.000000000 -0400
+***************
+*** 309,312 ****
+--- 313,324 ----
+             struct fd_bitmap *bitmap;
+  
++            if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
++              {
++                internal_warning ("%s: ignoring function definition attempt", from_file);
++                should_jump_to_top_level = 0;
++                last_result = last_command_exit_value = EX_BADUSAGE;
++                break;
++              }
++ 
+             bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+             begin_unwind_frame ("pe_dispose");
+***************
+*** 369,372 ****
+--- 381,387 ----
+             dispose_fd_bitmap (bitmap);
+             discard_unwind_frame ("pe_dispose");
++ 
++            if (flags & SEVAL_ONECMD)
++              break;
+           }
+       }
+*** ../bash-4.3-patched/variables.c    2014-05-15 08:26:50.000000000 -0400
+--- variables.c        2014-09-14 14:23:35.000000000 -0400
+***************
+*** 359,369 ****
+         strcpy (temp_string + char_index + 1, string);
+  
+!        if (posixly_correct == 0 || legal_identifier (name))
+!          parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+! 
+!        /* Ancient backwards compatibility.  Old versions of bash exported
+!           functions like name()=() {...} */
+!        if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+!          name[char_index - 2] = '\0';
+  
+         if (temp_var = find_function (name))
+--- 364,372 ----
+         strcpy (temp_string + char_index + 1, string);
+  
+!        /* Don't import function names that are invalid identifiers from the
+!           environment, though we still allow them to be defined as shell
+!           variables. */
+!        if (legal_identifier (name))
+!          parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+  
+         if (temp_var = find_function (name))
+***************
+*** 382,389 ****
+             report_error (_("error importing function definition for `%s'"), name);
+           }
+- 
+-        /* ( */
+-        if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+-          name[char_index - 2] = '(';         /* ) */
+       }
+  #if defined (ARRAY_VARS)
+--- 385,388 ----
+*** ../bash-4.3-patched/subst.c        2014-08-11 11:16:35.000000000 -0400
+--- subst.c    2014-09-12 15:31:04.000000000 -0400
+***************
+*** 8048,8052 ****
+         goto return0;
+       }
+!       else if (var = find_variable_last_nameref (temp1))
+       {
+         temp = nameref_cell (var);
+--- 8118,8124 ----
+         goto return0;
+       }
+!       else if (var && (invisible_p (var) || var_isset (var) == 0))
+!      temp = (char *)NULL;
+!       else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
+       {
+         temp = nameref_cell (var);