|
1 BASH PATCH REPORT |
|
2 ================= |
|
3 |
|
4 Bash-Release: 4.1 |
|
5 Patch-ID: bash41-017 |
|
6 |
|
7 Bug-Reported-by: Michal Zalewski <[email protected]> |
|
8 Bug-Reference-ID: |
|
9 Bug-Reference-URL: |
|
10 |
|
11 Bug-Description: |
|
12 |
|
13 A combination of nested command substitutions and function importing from |
|
14 the environment can cause bash to execute code appearing in the environment |
|
15 variable value following the function definition. |
|
16 |
|
17 Patch (apply with `patch -p0'): |
|
18 |
|
19 *** ../bash-4.1.16/builtins/evalstring.c 2014-09-16 19:27:38.000000000 -0400 |
|
20 --- builtins/evalstring.c 2014-10-04 15:08:26.000000000 -0400 |
|
21 *************** |
|
22 *** 262,271 **** |
|
23 struct fd_bitmap *bitmap; |
|
24 |
|
25 ! if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) |
|
26 { |
|
27 ! internal_warning ("%s: ignoring function definition attempt", from_file); |
|
28 ! should_jump_to_top_level = 0; |
|
29 ! last_result = last_command_exit_value = EX_BADUSAGE; |
|
30 ! break; |
|
31 } |
|
32 |
|
33 --- 262,284 ---- |
|
34 struct fd_bitmap *bitmap; |
|
35 |
|
36 ! if (flags & SEVAL_FUNCDEF) |
|
37 { |
|
38 ! char *x; |
|
39 ! |
|
40 ! /* If the command parses to something other than a straight |
|
41 ! function definition, or if we have not consumed the entire |
|
42 ! string, or if the parser has transformed the function |
|
43 ! name (as parsing will if it begins or ends with shell |
|
44 ! whitespace, for example), reject the attempt */ |
|
45 ! if (command->type != cm_function_def || |
|
46 ! ((x = parser_remaining_input ()) && *x) || |
|
47 ! (STREQ (from_file, command->value.Function_def->name->word) == 0)) |
|
48 ! { |
|
49 ! internal_warning (_("%s: ignoring function definition attempt"), from_file); |
|
50 ! should_jump_to_top_level = 0; |
|
51 ! last_result = last_command_exit_value = EX_BADUSAGE; |
|
52 ! reset_parser (); |
|
53 ! break; |
|
54 ! } |
|
55 } |
|
56 |
|
57 *************** |
|
58 *** 332,336 **** |
|
59 |
|
60 if (flags & SEVAL_ONECMD) |
|
61 ! break; |
|
62 } |
|
63 } |
|
64 --- 345,352 ---- |
|
65 |
|
66 if (flags & SEVAL_ONECMD) |
|
67 ! { |
|
68 ! reset_parser (); |
|
69 ! break; |
|
70 ! } |
|
71 } |
|
72 } |
|
73 *** ../bash-4.1.16/parse.y 2014-09-30 19:36:03.000000000 -0400 |
|
74 --- parse.y 2014-10-04 15:08:26.000000000 -0400 |
|
75 *************** |
|
76 *** 2410,2413 **** |
|
77 --- 2410,2423 ---- |
|
78 } |
|
79 |
|
80 + char * |
|
81 + parser_remaining_input () |
|
82 + { |
|
83 + if (shell_input_line == 0) |
|
84 + return 0; |
|
85 + if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len) |
|
86 + return '\0'; /* XXX */ |
|
87 + return (shell_input_line + shell_input_line_index); |
|
88 + } |
|
89 + |
|
90 #ifdef INCLUDE_UNUSED |
|
91 /* Back the input pointer up by one, effectively `ungetting' a character. */ |
|
92 *************** |
|
93 *** 3809,3814 **** |
|
94 restore_parser_state (&ps); |
|
95 reset_parser (); |
|
96 ! if (interactive) |
|
97 ! token_to_read = 0; |
|
98 |
|
99 /* Need to find how many characters parse_and_execute consumed, update |
|
100 --- 3819,3824 ---- |
|
101 restore_parser_state (&ps); |
|
102 reset_parser (); |
|
103 ! |
|
104 ! token_to_read = 0; |
|
105 |
|
106 /* Need to find how many characters parse_and_execute consumed, update |
|
107 *** ../bash-4.1.16/shell.h 2009-08-14 16:32:52.000000000 -0400 |
|
108 --- shell.h 2014-10-04 15:08:26.000000000 -0400 |
|
109 *************** |
|
110 *** 164,167 **** |
|
111 --- 164,169 ---- |
|
112 |
|
113 /* Let's try declaring these here. */ |
|
114 + extern char *parser_remaining_input __P((void)); |
|
115 + |
|
116 extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *)); |
|
117 extern void restore_parser_state __P((sh_parser_state_t *)); |
|
118 *** ../bash-4.1-patched/patchlevel.h 2009-10-01 16:39:22.000000000 -0400 |
|
119 --- patchlevel.h 2010-01-14 09:38:08.000000000 -0500 |
|
120 *************** |
|
121 *** 26,30 **** |
|
122 looks for to find the patch level (for the sccs version string). */ |
|
123 |
|
124 ! #define PATCHLEVEL 16 |
|
125 |
|
126 #endif /* _PATCHLEVEL_H_ */ |
|
127 --- 26,30 ---- |
|
128 looks for to find the patch level (for the sccs version string). */ |
|
129 |
|
130 ! #define PATCHLEVEL 17 |
|
131 |
|
132 #endif /* _PATCHLEVEL_H_ */ |