bash: Fix for CVE-2014-6271

A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override
or bypass environment restrictions to execute shell commands.
Certain services and applications allow remote unauthenticated
attackers to provide environment variables, allowing them to exploit
this issue.

diff --git a/lfs/bash b/lfs/bash
index c89ff545a99b6e1a6952f219b19abd8ffecbe4d6..47a6c45954a3d4353b8401b13275ca4d7ccd6760 100644 (file)
--- a/lfs/bash
+++ b/lfs/bash
@@ -96,6 +96,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-4.0-paths-1.patch
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-4.0-profile-1.patch
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-3.2-ssh_source_bash.patch
+       cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/bash-3.2-CVE-2014-6271.patch
+
        cd $(DIR_APP) && ./configure $(EXTRA_CONFIG)
        cd $(DIR_APP) && make $(EXTRA_MAKE)
        cd $(DIR_APP) && make $(EXTRA_INSTALL) install

diff --git a/src/patches/bash-3.2-CVE-2014-6271.patch b/src/patches/bash-3.2-CVE-2014-6271.patch
new file mode 100644 (file)
index 0000000..3964916
--- /dev/null
+++ b/src/patches/bash-3.2-CVE-2014-6271.patch
@@ -0,0 +1,72 @@
+*** ../bash-3.2.51/builtins/common.h   2006-03-06 09:38:44.000000000 -0500
+--- builtins/common.h  2014-09-16 19:08:02.000000000 -0400
+***************
+*** 34,37 ****
+--- 34,39 ----
+  
+  /* Flags for describe_command, shared between type.def and command.def */
++ #define SEVAL_FUNCDEF        0x080           /* only allow function definitions */
++ #define SEVAL_ONECMD 0x100           /* only allow a single command */
+  #define CDESC_ALL            0x001   /* type -a */
+  #define CDESC_SHORTDESC              0x002   /* command -V */
+*** ../bash-3.2.51/builtins/evalstring.c       2008-11-15 17:47:04.000000000 -0500
+--- builtins/evalstring.c      2014-09-16 19:08:02.000000000 -0400
+***************
+*** 235,238 ****
+--- 235,246 ----
+             struct fd_bitmap *bitmap;
+  
++            if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
++              {
++                internal_warning ("%s: ignoring function definition attempt", from_file);
++                should_jump_to_top_level = 0;
++                last_result = last_command_exit_value = EX_BADUSAGE;
++                break;
++              }
++ 
+             bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+             begin_unwind_frame ("pe_dispose");
+***************
+*** 292,295 ****
+--- 300,306 ----
+             dispose_fd_bitmap (bitmap);
+             discard_unwind_frame ("pe_dispose");
++ 
++            if (flags & SEVAL_ONECMD)
++              break;
+           }
+       }
+*** ../bash-3.2.51/variables.c 2008-11-15 17:15:06.000000000 -0500
+--- variables.c        2014-09-16 19:10:39.000000000 -0400
+***************
+*** 319,328 ****
+         strcpy (temp_string + char_index + 1, string);
+  
+!        parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+! 
+!        /* Ancient backwards compatibility.  Old versions of bash exported
+!           functions like name()=() {...} */
+!        if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+!          name[char_index - 2] = '\0';
+  
+         if (temp_var = find_function (name))
+--- 319,326 ----
+         strcpy (temp_string + char_index + 1, string);
+  
+!        /* Don't import function names that are invalid identifiers from the
+!           environment. */
+!        if (legal_identifier (name))
+!          parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+  
+         if (temp_var = find_function (name))
+***************
+*** 333,340 ****
+         else
+           report_error (_("error importing function definition for `%s'"), name);
+- 
+-        /* ( */
+-        if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+-          name[char_index - 2] = '(';         /* ) */
+       }
+  #if defined (ARRAY_VARS)
+--- 331,334 ----