BASH PATCH REPORT

			     =================

Bash-Release:	4.3

Patch-ID:	bash43-030

Bug-Reported-by:	Michal Zalewski <lcamtuf@coredump.cx>

Bug-Reference-ID:

Bug-Reference-URL:

Bug-Description:

A combination of nested command substitutions and function importing from

the environment can cause bash to execute code appearing in the environment

variable value following the function definition.

Patch (apply with `patch -p0'):

*** ../bash-4.3.29/builtins/evalstring.c	2014-10-01 12:57:47.000000000 -0400

--- builtins/evalstring.c	2014-10-03 11:57:04.000000000 -0400

***************

*** 309,318 ****

  	      struct fd_bitmap *bitmap;

! 	      if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)

  		{

! 		  internal_warning ("%s: ignoring function definition attempt", from_file);

! 		  should_jump_to_top_level = 0;

! 		  last_result = last_command_exit_value = EX_BADUSAGE;

! 		  break;

  		}

--- 313,335 ----

  	      struct fd_bitmap *bitmap;

! 	      if (flags & SEVAL_FUNCDEF)

  		{

! 		  char *x;

! 

! 		  /* If the command parses to something other than a straight

! 		     function definition, or if we have not consumed the entire

! 		     string, or if the parser has transformed the function

! 		     name (as parsing will if it begins or ends with shell

! 		     whitespace, for example), reject the attempt */

! 		  if (command->type != cm_function_def ||

! 		      ((x = parser_remaining_input ()) && *x) ||

! 		      (STREQ (from_file, command->value.Function_def->name->word) == 0))

! 		    {

! 		      internal_warning (_("%s: ignoring function definition attempt"), from_file);

! 		      should_jump_to_top_level = 0;

! 		      last_result = last_command_exit_value = EX_BADUSAGE;

! 		      reset_parser ();

! 		      break;

! 		    }

  		}

***************

*** 379,383 ****

  	      if (flags & SEVAL_ONECMD)

! 		break;

  	    }

  	}

--- 396,403 ----

  	      if (flags & SEVAL_ONECMD)

! 		{

! 		  reset_parser ();

! 		  break;

! 		}

  	    }

  	}

*** ../bash-4.3.29/parse.y	2014-10-01 12:58:43.000000000 -0400

--- parse.y	2014-10-03 14:48:59.000000000 -0400

***************

*** 2539,2542 ****

--- 2539,2552 ----

  }

+ char *

+ parser_remaining_input ()

+ {

+   if (shell_input_line == 0)

+     return 0;

+   if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)

+     return '\0';	/* XXX */

+   return (shell_input_line + shell_input_line_index);

+ }

+ 

  #ifdef INCLUDE_UNUSED

  /* Back the input pointer up by one, effectively `ungetting' a character. */

***************

*** 4028,4033 ****

    /* reset_parser clears shell_input_line and associated variables */

    restore_input_line_state (&ls);

!   if (interactive)

!     token_to_read = 0;

    /* Need to find how many characters parse_and_execute consumed, update

--- 4053,4058 ----

    /* reset_parser clears shell_input_line and associated variables */

    restore_input_line_state (&ls);

! 

!   token_to_read = 0;

    /* Need to find how many characters parse_and_execute consumed, update

*** ../bash-4.3.29/shell.h	2014-10-01 12:57:39.000000000 -0400

--- shell.h	2014-10-03 14:49:12.000000000 -0400

***************

*** 181,184 ****

--- 181,186 ----

  /* Let's try declaring these here. */

+ extern char *parser_remaining_input __P((void));

+ 

  extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));

  extern void restore_parser_state __P((sh_parser_state_t *));

*** ../bash-4.3/patchlevel.h	2012-12-29 10:47:57.000000000 -0500

--- patchlevel.h	2014-03-20 20:01:28.000000000 -0400

***************

*** 26,30 ****

     looks for to find the patch level (for the sccs version string). */

! #define PATCHLEVEL 29

  #endif /* _PATCHLEVEL_H_ */

--- 26,30 ----

     looks for to find the patch level (for the sccs version string). */

! #define PATCHLEVEL 30

  #endif /* _PATCHLEVEL_H_ */