1 			     BASH PATCH REPORT

     2 			     =================

     3 

     4 Bash-Release:	4.1

     5 Patch-ID:	bash41-017

     6 

     7 Bug-Reported-by:	Michal Zalewski <[email protected]>

     8 Bug-Reference-ID:

     9 Bug-Reference-URL:

    10 

    11 Bug-Description:

    12 

    13 A combination of nested command substitutions and function importing from

    14 the environment can cause bash to execute code appearing in the environment

    15 variable value following the function definition.

    16 

    17 Patch (apply with `patch -p0'):

    18 

    19 *** ../bash-4.1.16/builtins/evalstring.c	2014-09-16 19:27:38.000000000 -0400

    20 --- builtins/evalstring.c	2014-10-04 15:08:26.000000000 -0400

    21 ***************

    22 *** 262,271 ****

    23   	      struct fd_bitmap *bitmap;

    24   

    25 ! 	      if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)

    26   		{

    27 ! 		  internal_warning ("%s: ignoring function definition attempt", from_file);

    28 ! 		  should_jump_to_top_level = 0;

    29 ! 		  last_result = last_command_exit_value = EX_BADUSAGE;

    30 ! 		  break;

    31   		}

    32   

    33 --- 262,284 ----

    34   	      struct fd_bitmap *bitmap;

    35   

    36 ! 	      if (flags & SEVAL_FUNCDEF)

    37   		{

    38 ! 		  char *x;

    39 ! 

    40 ! 		  /* If the command parses to something other than a straight

    41 ! 		     function definition, or if we have not consumed the entire

    42 ! 		     string, or if the parser has transformed the function

    43 ! 		     name (as parsing will if it begins or ends with shell

    44 ! 		     whitespace, for example), reject the attempt */

    45 ! 		  if (command->type != cm_function_def ||

    46 ! 		      ((x = parser_remaining_input ()) && *x) ||

    47 ! 		      (STREQ (from_file, command->value.Function_def->name->word) == 0))

    48 ! 		    {

    49 ! 		      internal_warning (_("%s: ignoring function definition attempt"), from_file);

    50 ! 		      should_jump_to_top_level = 0;

    51 ! 		      last_result = last_command_exit_value = EX_BADUSAGE;

    52 ! 		      reset_parser ();

    53 ! 		      break;

    54 ! 		    }

    55   		}

    56   

    57 ***************

    58 *** 332,336 ****

    59   

    60   	      if (flags & SEVAL_ONECMD)

    61 ! 		break;

    62   	    }

    63   	}

    64 --- 345,352 ----

    65   

    66   	      if (flags & SEVAL_ONECMD)

    67 ! 		{

    68 ! 		  reset_parser ();

    69 ! 		  break;

    70 ! 		}

    71   	    }

    72   	}

    73 *** ../bash-4.1.16/parse.y	2014-09-30 19:36:03.000000000 -0400

    74 --- parse.y	2014-10-04 15:08:26.000000000 -0400

    75 ***************

    76 *** 2410,2413 ****

    77 --- 2410,2423 ----

    78   }

    79   

    80 + char *

    81 + parser_remaining_input ()

    82 + {

    83 +   if (shell_input_line == 0)

    84 +     return 0;

    85 +   if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)

    86 +     return '\0';	/* XXX */

    87 +   return (shell_input_line + shell_input_line_index);

    88 + }

    89 + 

    90   #ifdef INCLUDE_UNUSED

    91   /* Back the input pointer up by one, effectively `ungetting' a character. */

    92 ***************

    93 *** 3809,3814 ****

    94     restore_parser_state (&ps);

    95     reset_parser ();

    96 !   if (interactive)

    97 !     token_to_read = 0;

    98   

    99     /* Need to find how many characters parse_and_execute consumed, update

   100 --- 3819,3824 ----

   101     restore_parser_state (&ps);

   102     reset_parser ();

   103 ! 

   104 !   token_to_read = 0;

   105   

   106     /* Need to find how many characters parse_and_execute consumed, update

   107 *** ../bash-4.1.16/shell.h	2009-08-14 16:32:52.000000000 -0400

   108 --- shell.h	2014-10-04 15:08:26.000000000 -0400

   109 ***************

   110 *** 164,167 ****

   111 --- 164,169 ----

   112   

   113   /* Let's try declaring these here. */

   114 + extern char *parser_remaining_input __P((void));

   115 + 

   116   extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));

   117   extern void restore_parser_state __P((sh_parser_state_t *));

   118 *** ../bash-4.1-patched/patchlevel.h	2009-10-01 16:39:22.000000000 -0400

   119 --- patchlevel.h	2010-01-14 09:38:08.000000000 -0500

   120 ***************

   121 *** 26,30 ****

   122      looks for to find the patch level (for the sccs version string). */

   123   

   124 ! #define PATCHLEVEL 16

   125   

   126   #endif /* _PATCHLEVEL_H_ */

   127 --- 26,30 ----

   128      looks for to find the patch level (for the sccs version string). */

   129   

   130 ! #define PATCHLEVEL 17

   131   

   132   #endif /* _PATCHLEVEL_H_ */