|
1 # Patch Origin: http://www.openwall.com/lists/oss-security/2014/09/25/32 |
|
2 # Patch is from Red Hat Security. |
|
3 # CVE-2014-7619 |
|
4 # CVSS Score:10.0 |
|
5 # This is an update to the previously released patchset for the same |
|
6 # vulnerability. The previous patch did NOT cover all possible attack |
|
7 # vectors. |
|
8 --- ../bash-4.1.orig/variables.c 2014-09-25 08:10:49.920709400 -0700 |
|
9 +++ variables.c 2014-09-25 11:59:38.642742000 -0700 |
|
10 @@ -268,7 +268,7 @@ |
|
11 static void propagate_temp_var __P((PTR_T)); |
|
12 static void dispose_temporary_env __P((sh_free_func_t *)); |
|
13 |
|
14 -static inline char *mk_env_string __P((const char *, const char *)); |
|
15 +static inline char *mk_env_string __P((const char *, const char *, int)); |
|
16 static char **make_env_array_from_var_list __P((SHELL_VAR **)); |
|
17 static char **make_var_export_array __P((VAR_CONTEXT *)); |
|
18 static char **make_func_export_array __P((void)); |
|
19 @@ -301,6 +301,14 @@ |
|
20 #endif |
|
21 } |
|
22 |
|
23 +/* Prefix and suffix for environment variable names which contain |
|
24 + shell functions. */ |
|
25 +#define FUNCDEF_PREFIX "BASH_FUNC_" |
|
26 +#define FUNCDEF_PREFIX_LEN (strlen (FUNCDEF_PREFIX)) |
|
27 +#define FUNCDEF_SUFFIX "()" |
|
28 +#define FUNCDEF_SUFFIX_LEN (strlen (FUNCDEF_SUFFIX)) |
|
29 + |
|
30 + |
|
31 /* Initialize the shell variables from the current environment. |
|
32 If PRIVMODE is nonzero, don't import functions from ENV or |
|
33 parse $SHELLOPTS. */ |
|
34 @@ -338,27 +346,39 @@ |
|
35 |
|
36 /* If exported function, define it now. Don't import functions from |
|
37 the environment in privileged mode. */ |
|
38 - if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4)) |
|
39 - { |
|
40 - string_length = strlen (string); |
|
41 - temp_string = (char *)xmalloc (3 + string_length + char_index); |
|
42 + if (privmode == 0 && read_but_dont_execute == 0 |
|
43 + && STREQN (FUNCDEF_PREFIX, name, FUNCDEF_PREFIX_LEN) |
|
44 + && STREQ (name + char_index - FUNCDEF_SUFFIX_LEN, FUNCDEF_SUFFIX) |
|
45 + && STREQN ("() {", string, 4)) |
|
46 + { |
|
47 + size_t name_length |
|
48 + = char_index - (FUNCDEF_PREFIX_LEN + FUNCDEF_SUFFIX_LEN); |
|
49 + char *temp_name = name + FUNCDEF_PREFIX_LEN; |
|
50 + /* Temporarily remove the suffix. */ |
|
51 + temp_name[name_length] = '\0'; |
|
52 |
|
53 - strcpy (temp_string, name); |
|
54 - temp_string[char_index] = ' '; |
|
55 - strcpy (temp_string + char_index + 1, string); |
|
56 + string_length = strlen (string); |
|
57 + temp_string = (char *)xmalloc (name_length + 1 + string_length + 1); |
|
58 + memcpy (temp_string, temp_name, name_length); |
|
59 + temp_string[name_length] = ' '; |
|
60 + memcpy (temp_string + name_length + 1, string, string_length + 1); |
|
61 |
|
62 /* Don't import function names that are invalid identifiers from the |
|
63 environment. */ |
|
64 - if (legal_identifier (name)) |
|
65 - parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); |
|
66 + if (legal_identifier (temp_name)) |
|
67 + parse_and_execute (temp_string, temp_name, |
|
68 + SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); |
|
69 |
|
70 - if (temp_var = find_function (name)) |
|
71 + if (temp_var = find_function (temp_name)) |
|
72 { |
|
73 VSETATTR (temp_var, (att_exported|att_imported)); |
|
74 array_needs_making = 1; |
|
75 } |
|
76 else |
|
77 report_error (_("error importing function definition for `%s'"), name); |
|
78 + |
|
79 + /* Restore the original suffix. */ |
|
80 + temp_name[name_length] = FUNCDEF_SUFFIX[0]; |
|
81 } |
|
82 #if defined (ARRAY_VARS) |
|
83 # if 0 |
|
84 @@ -2515,7 +2535,7 @@ |
|
85 var->context = variable_context; /* XXX */ |
|
86 |
|
87 INVALIDATE_EXPORTSTR (var); |
|
88 - var->exportstr = mk_env_string (name, value); |
|
89 + var->exportstr = mk_env_string (name, value, 0); |
|
90 |
|
91 array_needs_making = 1; |
|
92 |
|
93 @@ -3333,22 +3353,43 @@ |
|
94 /* */ |
|
95 /* **************************************************************** */ |
|
96 |
|
97 +/* Returns the string NAME=VALUE if !FUNCTIONP or if VALUE == NULL (in |
|
98 + which case it is treated as empty). Otherwise, decorate NAME with |
|
99 + FUNCDEF_PREFIX and FUNCDEF_SUFFIX, and return a string of the form |
|
100 + FUNCDEF_PREFIX NAME FUNCDEF_SUFFIX = VALUE (without spaces). */ |
|
101 static inline char * |
|
102 -mk_env_string (name, value) |
|
103 +mk_env_string (name, value, functionp) |
|
104 const char *name, *value; |
|
105 + int functionp; |
|
106 { |
|
107 - int name_len, value_len; |
|
108 - char *p; |
|
109 + size_t name_len, value_len; |
|
110 + char *p, *q; |
|
111 |
|
112 name_len = strlen (name); |
|
113 value_len = STRLEN (value); |
|
114 - p = (char *)xmalloc (2 + name_len + value_len); |
|
115 - strcpy (p, name); |
|
116 - p[name_len] = '='; |
|
117 + if (functionp && value != NULL) |
|
118 + { |
|
119 + p = (char *)xmalloc (FUNCDEF_PREFIX_LEN + name_len + FUNCDEF_SUFFIX_LEN |
|
120 + + 1 + value_len + 1); |
|
121 + q = p; |
|
122 + memcpy (q, FUNCDEF_PREFIX, FUNCDEF_PREFIX_LEN); |
|
123 + q += FUNCDEF_PREFIX_LEN; |
|
124 + memcpy (q, name, name_len); |
|
125 + q += name_len; |
|
126 + memcpy (q, FUNCDEF_SUFFIX, FUNCDEF_SUFFIX_LEN); |
|
127 + q += FUNCDEF_SUFFIX_LEN; |
|
128 + } |
|
129 + else |
|
130 + { |
|
131 + p = (char *)xmalloc (name_len + 1 + value_len + 1); |
|
132 + memcpy (p, name, name_len); |
|
133 + q = p + name_len; |
|
134 + } |
|
135 + q[0] = '='; |
|
136 if (value && *value) |
|
137 - strcpy (p + name_len + 1, value); |
|
138 + memcpy (q + 1, value, value_len + 1); |
|
139 else |
|
140 - p[name_len + 1] = '\0'; |
|
141 + q[1] = '\0'; |
|
142 return (p); |
|
143 } |
|
144 |
|
145 @@ -3434,7 +3475,7 @@ |
|
146 /* Gee, I'd like to get away with not using savestring() if we're |
|
147 using the cached exportstr... */ |
|
148 list[list_index] = USE_EXPORTSTR ? savestring (value) |
|
149 - : mk_env_string (var->name, value); |
|
150 + : mk_env_string (var->name, value, function_p (var)); |
|
151 |
|
152 if (USE_EXPORTSTR == 0) |
|
153 SAVE_EXPORTSTR (var, list[list_index]); |