David Kaspar [Dee'Kej] 8b4ff3
From f9dc7ff03a5b63d20ce473c1172e29b736dbea28 Mon Sep 17 00:00:00 2001
David Kaspar [Dee'Kej] 8b4ff3
From: "David Kaspar [Dee'Kej]" <dkaspar@redhat.com>
David Kaspar [Dee'Kej] 8b4ff3
Date: Wed, 21 Sep 2016 16:51:08 +0200
David Kaspar [Dee'Kej] 8b4ff3
Subject: [PATCH] CVE-2016-0634: upstream patch imported
David Kaspar [Dee'Kej] 8b4ff3
David Kaspar [Dee'Kej] 8b4ff3
---
David Kaspar [Dee'Kej] 8b4ff3
 parse.y | 20 ++++++++++++++++----
David Kaspar [Dee'Kej] 8b4ff3
 y.tab.c | 20 ++++++++++++++++----
David Kaspar [Dee'Kej] 8b4ff3
 2 files changed, 32 insertions(+), 8 deletions(-)
David Kaspar [Dee'Kej] 8b4ff3
David Kaspar [Dee'Kej] 8b4ff3
diff --git a/parse.y b/parse.y
David Kaspar [Dee'Kej] 8b4ff3
index 0a7fcaa..5676ad7 100644
David Kaspar [Dee'Kej] 8b4ff3
--- a/parse.y
David Kaspar [Dee'Kej] 8b4ff3
+++ b/parse.y
David Kaspar [Dee'Kej] 8b4ff3
@@ -5252,7 +5252,7 @@ decode_prompt_string (string)
David Kaspar [Dee'Kej] 8b4ff3
 #if defined (PROMPT_STRING_DECODE)
David Kaspar [Dee'Kej] 8b4ff3
   int result_size, result_index;
David Kaspar [Dee'Kej] 8b4ff3
   int c, n, i;
David Kaspar [Dee'Kej] 8b4ff3
-  char *temp, octal_string[4];
David Kaspar [Dee'Kej] 8b4ff3
+  char *temp, *t_host, octal_string[4];
David Kaspar [Dee'Kej] 8b4ff3
   struct tm *tm;  
David Kaspar [Dee'Kej] 8b4ff3
   time_t the_time;
David Kaspar [Dee'Kej] 8b4ff3
   char timebuf[128];
David Kaspar [Dee'Kej] 8b4ff3
@@ -5400,7 +5400,11 @@ decode_prompt_string (string)
David Kaspar [Dee'Kej] 8b4ff3
 
David Kaspar [Dee'Kej] 8b4ff3
 	    case 's':
David Kaspar [Dee'Kej] 8b4ff3
 	      temp = base_pathname (shell_name);
David Kaspar [Dee'Kej] 8b4ff3
-	      temp = savestring (temp);
David Kaspar [Dee'Kej] 8b4ff3
+	      /* Try to quote anything the user can set in the file system */
David Kaspar [Dee'Kej] 8b4ff3
+	      if (promptvars || posixly_correct)
David Kaspar [Dee'Kej] 8b4ff3
+		temp = sh_backslash_quote_for_double_quotes (temp);
David Kaspar [Dee'Kej] 8b4ff3
+	      else
David Kaspar [Dee'Kej] 8b4ff3
+		temp = savestring (temp);
David Kaspar [Dee'Kej] 8b4ff3
 	      goto add_string;
David Kaspar [Dee'Kej] 8b4ff3
 
David Kaspar [Dee'Kej] 8b4ff3
 	    case 'v':
David Kaspar [Dee'Kej] 8b4ff3
@@ -5490,9 +5494,17 @@ decode_prompt_string (string)
David Kaspar [Dee'Kej] 8b4ff3
 
David Kaspar [Dee'Kej] 8b4ff3
 	    case 'h':
David Kaspar [Dee'Kej] 8b4ff3
 	    case 'H':
David Kaspar [Dee'Kej] 8b4ff3
-	      temp = savestring (current_host_name);
David Kaspar [Dee'Kej] 8b4ff3
-	      if (c == 'h' && (t = (char *)strchr (temp, '.')))
David Kaspar [Dee'Kej] 8b4ff3
+	      t_host = savestring (current_host_name);
David Kaspar [Dee'Kej] 8b4ff3
+	      if (c == 'h' && (t = (char *)strchr (t_host, '.')))
David Kaspar [Dee'Kej] 8b4ff3
 		*t = '\0';
David Kaspar [Dee'Kej] 8b4ff3
+	      if (promptvars || posixly_correct)
David Kaspar [Dee'Kej] 8b4ff3
+		/* Make sure that expand_prompt_string is called with a
David Kaspar [Dee'Kej] 8b4ff3
+		   second argument of Q_DOUBLE_QUOTES if we use this
David Kaspar [Dee'Kej] 8b4ff3
+		   function here. */
David Kaspar [Dee'Kej] 8b4ff3
+		temp = sh_backslash_quote_for_double_quotes (t_host);
David Kaspar [Dee'Kej] 8b4ff3
+	      else
David Kaspar [Dee'Kej] 8b4ff3
+		temp = savestring (t_host);
David Kaspar [Dee'Kej] 8b4ff3
+	      free (t_host);
David Kaspar [Dee'Kej] 8b4ff3
 	      goto add_string;
David Kaspar [Dee'Kej] 8b4ff3
 
David Kaspar [Dee'Kej] 8b4ff3
 	    case '#':
David Kaspar [Dee'Kej] 8b4ff3
diff --git a/y.tab.c b/y.tab.c
David Kaspar [Dee'Kej] 8b4ff3
index 793daf6..726d0de 100644
David Kaspar [Dee'Kej] 8b4ff3
--- a/y.tab.c
David Kaspar [Dee'Kej] 8b4ff3
+++ b/y.tab.c
David Kaspar [Dee'Kej] 8b4ff3
@@ -7540,7 +7540,7 @@ decode_prompt_string (string)
David Kaspar [Dee'Kej] 8b4ff3
 #if defined (PROMPT_STRING_DECODE)
David Kaspar [Dee'Kej] 8b4ff3
   int result_size, result_index;
David Kaspar [Dee'Kej] 8b4ff3
   int c, n, i;
David Kaspar [Dee'Kej] 8b4ff3
-  char *temp, octal_string[4];
David Kaspar [Dee'Kej] 8b4ff3
+  char *temp, *t_host, octal_string[4];
David Kaspar [Dee'Kej] 8b4ff3
   struct tm *tm;  
David Kaspar [Dee'Kej] 8b4ff3
   time_t the_time;
David Kaspar [Dee'Kej] 8b4ff3
   char timebuf[128];
David Kaspar [Dee'Kej] 8b4ff3
@@ -7688,7 +7688,11 @@ decode_prompt_string (string)
David Kaspar [Dee'Kej] 8b4ff3
 
David Kaspar [Dee'Kej] 8b4ff3
 	    case 's':
David Kaspar [Dee'Kej] 8b4ff3
 	      temp = base_pathname (shell_name);
David Kaspar [Dee'Kej] 8b4ff3
-	      temp = savestring (temp);
David Kaspar [Dee'Kej] 8b4ff3
+	      /* Try to quote anything the user can set in the file system */
David Kaspar [Dee'Kej] 8b4ff3
+	      if (promptvars || posixly_correct)
David Kaspar [Dee'Kej] 8b4ff3
+		temp = sh_backslash_quote_for_double_quotes (temp);
David Kaspar [Dee'Kej] 8b4ff3
+	      else
David Kaspar [Dee'Kej] 8b4ff3
+		temp = savestring (temp);
David Kaspar [Dee'Kej] 8b4ff3
 	      goto add_string;
David Kaspar [Dee'Kej] 8b4ff3
 
David Kaspar [Dee'Kej] 8b4ff3
 	    case 'v':
David Kaspar [Dee'Kej] 8b4ff3
@@ -7778,9 +7782,17 @@ decode_prompt_string (string)
David Kaspar [Dee'Kej] 8b4ff3
 
David Kaspar [Dee'Kej] 8b4ff3
 	    case 'h':
David Kaspar [Dee'Kej] 8b4ff3
 	    case 'H':
David Kaspar [Dee'Kej] 8b4ff3
-	      temp = savestring (current_host_name);
David Kaspar [Dee'Kej] 8b4ff3
-	      if (c == 'h' && (t = (char *)strchr (temp, '.')))
David Kaspar [Dee'Kej] 8b4ff3
+	      t_host = savestring (current_host_name);
David Kaspar [Dee'Kej] 8b4ff3
+	      if (c == 'h' && (t = (char *)strchr (t_host, '.')))
David Kaspar [Dee'Kej] 8b4ff3
 		*t = '\0';
David Kaspar [Dee'Kej] 8b4ff3
+	      if (promptvars || posixly_correct)
David Kaspar [Dee'Kej] 8b4ff3
+		/* Make sure that expand_prompt_string is called with a
David Kaspar [Dee'Kej] 8b4ff3
+		   second argument of Q_DOUBLE_QUOTES if we use this
David Kaspar [Dee'Kej] 8b4ff3
+		   function here. */
David Kaspar [Dee'Kej] 8b4ff3
+		temp = sh_backslash_quote_for_double_quotes (t_host);
David Kaspar [Dee'Kej] 8b4ff3
+	      else
David Kaspar [Dee'Kej] 8b4ff3
+		temp = savestring (t_host);
David Kaspar [Dee'Kej] 8b4ff3
+	      free (t_host);
David Kaspar [Dee'Kej] 8b4ff3
 	      goto add_string;
David Kaspar [Dee'Kej] 8b4ff3
 
David Kaspar [Dee'Kej] 8b4ff3
 	    case '#':
David Kaspar [Dee'Kej] 8b4ff3
-- 
David Kaspar [Dee'Kej] 8b4ff3
2.7.4
David Kaspar [Dee'Kej] 8b4ff3