src/patches/bash-4.3-CVE-2014-6271.patch

   1 *** ../bash-4.3-patched/builtins/common.h       2013-07-08 16:54:47.000000000 -0400
   2 --- builtins/common.h   2014-09-12 14:25:47.000000000 -0400
   3 ***************
   4 *** 34,37 ****
   5 --- 49,54 ----
   6   #define SEVAL_PARSEONLY       0x020
   7   #define SEVAL_NOLONGJMP 0x040
   8 + #define SEVAL_FUNCDEF 0x080           /* only allow function definitions */
   9 + #define SEVAL_ONECMD  0x100           /* only allow a single command */
  10
  11   /* Flags for describe_command, shared between type.def and command.def */
  12 *** ../bash-4.3-patched/builtins/evalstring.c   2014-02-11 09:42:10.000000000 -0500
  13 --- builtins/evalstring.c       2014-09-14 14:15:13.000000000 -0400
  14 ***************
  15 *** 309,312 ****
  16 --- 313,324 ----
  17               struct fd_bitmap *bitmap;
  18
  19 +             if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
  20 +               {
  21 +                 internal_warning ("%s: ignoring function definition attempt", from_file);
  22 +                 should_jump_to_top_level = 0;
  23 +                 last_result = last_command_exit_value = EX_BADUSAGE;
  24 +                 break;
  25 +               }
  26 +
  27               bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
  28               begin_unwind_frame ("pe_dispose");
  29 ***************
  30 *** 369,372 ****
  31 --- 381,387 ----
  32               dispose_fd_bitmap (bitmap);
  33               discard_unwind_frame ("pe_dispose");
  34 +
  35 +             if (flags & SEVAL_ONECMD)
  36 +               break;
  37             }
  38         }
  39 *** ../bash-4.3-patched/variables.c     2014-05-15 08:26:50.000000000 -0400
  40 --- variables.c 2014-09-14 14:23:35.000000000 -0400
  41 ***************
  42 *** 359,369 ****
  43           strcpy (temp_string + char_index + 1, string);
  44
  45 !         if (posixly_correct == 0 || legal_identifier (name))
  46 !           parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
  47 !
  48 !         /* Ancient backwards compatibility.  Old versions of bash exported
  49 !            functions like name()=() {...} */
  50 !         if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
  51 !           name[char_index - 2] = '\0';
  52
  53           if (temp_var = find_function (name))
  54 --- 364,372 ----
  55           strcpy (temp_string + char_index + 1, string);
  56
  57 !         /* Don't import function names that are invalid identifiers from the
  58 !            environment, though we still allow them to be defined as shell
  59 !            variables. */
  60 !         if (legal_identifier (name))
  61 !           parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
  62
  63           if (temp_var = find_function (name))
  64 ***************
  65 *** 382,389 ****
  66               report_error (_("error importing function definition for `%s'"), name);
  67             }
  68 -
  69 -         /* ( */
  70 -         if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
  71 -           name[char_index - 2] = '(';         /* ) */
  72         }
  73   #if defined (ARRAY_VARS)
  74 --- 385,388 ----
  75 *** ../bash-4.3-patched/subst.c 2014-08-11 11:16:35.000000000 -0400
  76 --- subst.c     2014-09-12 15:31:04.000000000 -0400
  77 ***************
  78 *** 8048,8052 ****
  79           goto return0;
  80         }
  81 !       else if (var = find_variable_last_nameref (temp1))
  82         {
  83           temp = nameref_cell (var);
  84 --- 8118,8124 ----
  85           goto return0;
  86         }
  87 !       else if (var && (invisible_p (var) || var_isset (var) == 0))
  88 !       temp = (char *)NULL;
  89 !       else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
  90         {
  91           temp = nameref_cell (var);