diff --git a/bash-4.3-cve-2014-6271.patch b/bash-4.3-cve-2014-6271.patch deleted file mode 100644 index 7859d40..0000000 --- a/bash-4.3-cve-2014-6271.patch +++ /dev/null @@ -1,91 +0,0 @@ -*** ../bash-4.3-patched/builtins/common.h 2013-07-08 16:54:47.000000000 -0400 ---- builtins/common.h 2014-09-12 14:25:47.000000000 -0400 -*************** -*** 34,37 **** ---- 49,54 ---- - #define SEVAL_PARSEONLY 0x020 - #define SEVAL_NOLONGJMP 0x040 -+ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ -+ #define SEVAL_ONECMD 0x100 /* only allow a single command */ - - /* Flags for describe_command, shared between type.def and command.def */ -*** ../bash-4.3-patched/builtins/evalstring.c 2014-02-11 09:42:10.000000000 -0500 ---- builtins/evalstring.c 2014-09-14 14:15:13.000000000 -0400 -*************** -*** 309,312 **** ---- 313,324 ---- - struct fd_bitmap *bitmap; - -+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) -+ { -+ internal_warning ("%s: ignoring function definition attempt", from_file); -+ should_jump_to_top_level = 0; -+ last_result = last_command_exit_value = EX_BADUSAGE; -+ break; -+ } -+ - bitmap = new_fd_bitmap (FD_BITMAP_SIZE); - begin_unwind_frame ("pe_dispose"); -*************** -*** 369,372 **** ---- 381,387 ---- - dispose_fd_bitmap (bitmap); - discard_unwind_frame ("pe_dispose"); -+ -+ if (flags & SEVAL_ONECMD) -+ break; - } - } -*** ../bash-4.3-patched/variables.c 2014-05-15 08:26:50.000000000 -0400 ---- variables.c 2014-09-14 14:23:35.000000000 -0400 -*************** -*** 359,369 **** - strcpy (temp_string + char_index + 1, string); - -! if (posixly_correct == 0 || legal_identifier (name)) -! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); -! -! /* Ancient backwards compatibility. Old versions of bash exported -! functions like name()=() {...} */ -! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') -! name[char_index - 2] = '\0'; - - if (temp_var = find_function (name)) ---- 364,372 ---- - strcpy (temp_string + char_index + 1, string); - -! /* Don't import function names that are invalid identifiers from the -! environment, though we still allow them to be defined as shell -! variables. */ -! if (legal_identifier (name)) -! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); - - if (temp_var = find_function (name)) -*************** -*** 382,389 **** - report_error (_("error importing function definition for `%s'"), name); - } -- -- /* ( */ -- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') -- name[char_index - 2] = '('; /* ) */ - } - #if defined (ARRAY_VARS) ---- 385,388 ---- -*** ../bash-4.3-patched/subst.c 2014-08-11 11:16:35.000000000 -0400 ---- subst.c 2014-09-12 15:31:04.000000000 -0400 -*************** -*** 8048,8052 **** - goto return0; - } -! else if (var = find_variable_last_nameref (temp1)) - { - temp = nameref_cell (var); ---- 8118,8124 ---- - goto return0; - } -! else if (var && (invisible_p (var) || var_isset (var) == 0)) -! temp = (char *)NULL; -! else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0) - { - temp = nameref_cell (var); diff --git a/bash.spec b/bash.spec index 4a54f9c..a8dcc9d 100644 --- a/bash.spec +++ b/bash.spec @@ -1,5 +1,5 @@ #% define beta_tag rc2 -%define patchleveltag .22 +%define patchleveltag .25 %define baseversion 4.3 %bcond_without tests %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -7,7 +7,7 @@ Version: %{baseversion}%{patchleveltag} Name: bash Summary: The GNU Bourne Again shell -Release: 3%{?dist} +Release: 1%{?dist} Group: System Environment/Shells License: GPLv3+ Url: http://www.gnu.org/software/bash @@ -43,6 +43,9 @@ Patch019: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-019 Patch020: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-020 Patch021: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-021 Patch022: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-022 +Patch023: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-023 +Patch024: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-024 +Patch025: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025 # Other patches Patch101: bash-2.02-security.patch @@ -94,15 +97,12 @@ Patch127: bash-4.2-trap.patch Patch128: bash-4.3-man-ulimit.patch # A series of patches emitted by upstream since 4.3-18 -Patch129: bash-4.3-array-element.patch Patch131: bash-4.3-parse-time-keyword.patch Patch134: bash-4.3-pathexp-globignore-delim.patch # 1102815 - fix double echoes in vi visual mode Patch135: bash-4.3-noecho.patch -Patch136: bash-4.3-cve-2014-6271.patch - BuildRequires: texinfo bison BuildRequires: ncurses-devel BuildRequires: autoconf, gettext @@ -151,6 +151,9 @@ This package contains documentation files for %{name}. %patch020 -p0 -b .020 %patch021 -p0 -b .021 %patch022 -p0 -b .022 +%patch023 -p0 -b .023 +%patch024 -p0 -b .024 +%patch025 -p0 -b .025 # Other patches %patch101 -p1 -b .security @@ -178,11 +181,9 @@ This package contains documentation files for %{name}. %patch123 -p1 %patch125 -p1 -b .size_type %patch128 -p1 -b .ulimit -%patch129 -p1 -b .element %patch131 -p0 -b .keyword %patch134 -p0 -b .delim %patch135 -p1 -b .noecho -%patch136 -p0 -b .6271 echo %{version} > _distribution echo %{release} > _patchlevel @@ -378,6 +379,9 @@ end %doc doc/*.ps doc/*.0 doc/*.html doc/article.txt %changelog +* Thu Sep 25 2014 Ondrej Oprala - 4.3.25-1 +- Patchlevel 25 + * Wed Sep 24 2014 Ondrej Oprala - 4.3.22-3 - Inhibit code injection - patch by Stephane Chazelas diff --git a/bash43-023 b/bash43-023 new file mode 100644 index 0000000..d1e4e9d --- /dev/null +++ b/bash43-023 @@ -0,0 +1,104 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.3 +Patch-ID: bash43-023 + +Bug-Reported-by: Tim Friske +Bug-Reference-ID: +Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2014-06/msg00056.html + +Bug-Description: + +Bash does not correctly parse process substitution constructs that contain +unbalanced parentheses as part of the contained command. + +Patch (apply with `patch -p0'): + +*** ../bash-4.3-patched/subst.h 2014-01-11 21:02:27.000000000 -0500 +--- subst.h 2014-07-20 17:25:01.000000000 -0400 +*************** +*** 83,87 **** + Start extracting at (SINDEX) as if we had just seen "<(". + Make (SINDEX) get the position just after the matching ")". */ +! extern char *extract_process_subst __P((char *, char *, int *)); + #endif /* PROCESS_SUBSTITUTION */ + +--- 83,87 ---- + Start extracting at (SINDEX) as if we had just seen "<(". + Make (SINDEX) get the position just after the matching ")". */ +! extern char *extract_process_subst __P((char *, char *, int *, int)); + #endif /* PROCESS_SUBSTITUTION */ + +*** ../bash-4.3-patched/subst.c 2014-05-15 08:26:45.000000000 -0400 +--- subst.c 2014-07-20 17:26:44.000000000 -0400 +*************** +*** 1193,1202 **** + Make (SINDEX) get the position of the matching ")". */ /*))*/ + char * +! extract_process_subst (string, starter, sindex) + char *string; + char *starter; + int *sindex; + { + return (extract_delimited_string (string, sindex, starter, "(", ")", SX_COMMAND)); + } + #endif /* PROCESS_SUBSTITUTION */ +--- 1193,1208 ---- + Make (SINDEX) get the position of the matching ")". */ /*))*/ + char * +! extract_process_subst (string, starter, sindex, xflags) + char *string; + char *starter; + int *sindex; ++ int xflags; + { ++ #if 0 + return (extract_delimited_string (string, sindex, starter, "(", ")", SX_COMMAND)); ++ #else ++ xflags |= (no_longjmp_on_fatal_error ? SX_NOLONGJMP : 0); ++ return (xparse_dolparen (string, string+*sindex, sindex, xflags)); ++ #endif + } + #endif /* PROCESS_SUBSTITUTION */ +*************** +*** 1786,1790 **** + if (string[si] == '\0') + CQ_RETURN(si); +! temp = extract_process_subst (string, (c == '<') ? "<(" : ">(", &si); + free (temp); /* no SX_ALLOC here */ + i = si; +--- 1792,1796 ---- + if (string[si] == '\0') + CQ_RETURN(si); +! temp = extract_process_subst (string, (c == '<') ? "<(" : ">(", &si, 0); + free (temp); /* no SX_ALLOC here */ + i = si; +*************** +*** 8250,8254 **** + t_index = sindex + 1; /* skip past both '<' and LPAREN */ + +! temp1 = extract_process_subst (string, (c == '<') ? "<(" : ">(", &t_index); /*))*/ + sindex = t_index; + +--- 8256,8260 ---- + t_index = sindex + 1; /* skip past both '<' and LPAREN */ + +! temp1 = extract_process_subst (string, (c == '<') ? "<(" : ">(", &t_index, 0); /*))*/ + sindex = t_index; + +*** ../bash-4.3/patchlevel.h 2012-12-29 10:47:57.000000000 -0500 +--- patchlevel.h 2014-03-20 20:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 22 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 23 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/bash43-024 b/bash43-024 new file mode 100644 index 0000000..a24b8fb --- /dev/null +++ b/bash43-024 @@ -0,0 +1,54 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.3 +Patch-ID: bash43-024 + +Bug-Reported-by: Corentin Peuvrel +Bug-Reference-ID: <53CE9E5D.6050203@pom-monitoring.com> +Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2014-07/msg00021.html + +Bug-Description: + +Indirect variable references do not work correctly if the reference +variable expands to an array reference using a subscript other than 0 +(e.g., foo='bar[1]' ; echo ${!foo}). + +Patch (apply with `patch -p0'): + +*** ../bash-4.3-patched/subst.c 2014-06-03 09:32:44.000000000 -0400 +--- subst.c 2014-07-23 09:58:19.000000000 -0400 +*************** +*** 7375,7379 **** + + if (want_indir) +! tdesc = parameter_brace_expand_indir (name + 1, var_is_special, quoted, quoted_dollar_atp, contains_dollar_at); + else + tdesc = parameter_brace_expand_word (name, var_is_special, quoted, PF_IGNUNBOUND|(pflags&(PF_NOSPLIT2|PF_ASSIGNRHS)), &ind); +--- 7445,7455 ---- + + if (want_indir) +! { +! tdesc = parameter_brace_expand_indir (name + 1, var_is_special, quoted, quoted_dollar_atp, contains_dollar_at); +! /* Turn off the W_ARRAYIND flag because there is no way for this function +! to return the index we're supposed to be using. */ +! if (tdesc && tdesc->flags) +! tdesc->flags &= ~W_ARRAYIND; +! } + else + tdesc = parameter_brace_expand_word (name, var_is_special, quoted, PF_IGNUNBOUND|(pflags&(PF_NOSPLIT2|PF_ASSIGNRHS)), &ind); +*** ../bash-4.3/patchlevel.h 2012-12-29 10:47:57.000000000 -0500 +--- patchlevel.h 2014-03-20 20:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 23 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 24 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/bash43-025 b/bash43-025 new file mode 100644 index 0000000..721aca0 --- /dev/null +++ b/bash43-025 @@ -0,0 +1,123 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.3 +Patch-ID: bash43-025 + +Bug-Reported-by: Stephane Chazelas +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +Under certain circumstances, bash will execute user code while processing the +environment for exported function definitions. + +Patch (apply with `patch -p0'): + +*** ../bash-4.3-patched/builtins/common.h 2013-07-08 16:54:47.000000000 -0400 +--- builtins/common.h 2014-09-12 14:25:47.000000000 -0400 +*************** +*** 34,37 **** +--- 49,54 ---- + #define SEVAL_PARSEONLY 0x020 + #define SEVAL_NOLONGJMP 0x040 ++ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ ++ #define SEVAL_ONECMD 0x100 /* only allow a single command */ + + /* Flags for describe_command, shared between type.def and command.def */ +*** ../bash-4.3-patched/builtins/evalstring.c 2014-02-11 09:42:10.000000000 -0500 +--- builtins/evalstring.c 2014-09-14 14:15:13.000000000 -0400 +*************** +*** 309,312 **** +--- 313,324 ---- + struct fd_bitmap *bitmap; + ++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) ++ { ++ internal_warning ("%s: ignoring function definition attempt", from_file); ++ should_jump_to_top_level = 0; ++ last_result = last_command_exit_value = EX_BADUSAGE; ++ break; ++ } ++ + bitmap = new_fd_bitmap (FD_BITMAP_SIZE); + begin_unwind_frame ("pe_dispose"); +*************** +*** 369,372 **** +--- 381,387 ---- + dispose_fd_bitmap (bitmap); + discard_unwind_frame ("pe_dispose"); ++ ++ if (flags & SEVAL_ONECMD) ++ break; + } + } +*** ../bash-4.3-patched/variables.c 2014-05-15 08:26:50.000000000 -0400 +--- variables.c 2014-09-14 14:23:35.000000000 -0400 +*************** +*** 359,369 **** + strcpy (temp_string + char_index + 1, string); + +! if (posixly_correct == 0 || legal_identifier (name)) +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); +! +! /* Ancient backwards compatibility. Old versions of bash exported +! functions like name()=() {...} */ +! if (name[char_index - 1] == ')' && name[char_index - 2] == '(') +! name[char_index - 2] = '\0'; + + if (temp_var = find_function (name)) +--- 364,372 ---- + strcpy (temp_string + char_index + 1, string); + +! /* Don't import function names that are invalid identifiers from the +! environment, though we still allow them to be defined as shell +! variables. */ +! if (legal_identifier (name)) +! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + + if (temp_var = find_function (name)) +*************** +*** 382,389 **** + report_error (_("error importing function definition for `%s'"), name); + } +- +- /* ( */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') +- name[char_index - 2] = '('; /* ) */ + } + #if defined (ARRAY_VARS) +--- 385,388 ---- +*** ../bash-4.3-patched/subst.c 2014-08-11 11:16:35.000000000 -0400 +--- subst.c 2014-09-12 15:31:04.000000000 -0400 +*************** +*** 8048,8052 **** + goto return0; + } +! else if (var = find_variable_last_nameref (temp1)) + { + temp = nameref_cell (var); +--- 8118,8124 ---- + goto return0; + } +! else if (var && (invisible_p (var) || var_isset (var) == 0)) +! temp = (char *)NULL; +! else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0) + { + temp = nameref_cell (var); +*** ../bash-4.3/patchlevel.h 2012-12-29 10:47:57.000000000 -0500 +--- patchlevel.h 2014-03-20 20:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 24 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 25 + + #endif /* _PATCHLEVEL_H_ */