--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bash/patches/variables-affix-4.2.patch Fri Sep 26 07:28:47 2014 -0700
@@ -0,0 +1,155 @@
+# Patch Origin: http://www.openwall.com/lists/oss-security/2014/09/25/32
+# Patch is from Red Hat Security.
+# CVE-2014-7619
+# CVSS Score:10.0
+# This is an update to the previously released patchset for the same
+# vulnerability. The previous patch did NOT cover all possible attack
+# vectors.
+--- ../bash-4.2-orig/variables.c 2014-09-25 13:07:59.313209541 +0200
++++ variables.c 2014-09-25 13:15:29.869420719 +0200
+@@ -268,7 +268,7 @@
+ static void propagate_temp_var __P((PTR_T));
+ static void dispose_temporary_env __P((sh_free_func_t *));
+
+-static inline char *mk_env_string __P((const char *, const char *));
++static inline char *mk_env_string __P((const char *, const char *, int));
+ static char **make_env_array_from_var_list __P((SHELL_VAR **));
+ static char **make_var_export_array __P((VAR_CONTEXT *));
+ static char **make_func_export_array __P((void));
+@@ -301,6 +301,14 @@
+ #endif
+ }
+
++/* Prefix and suffix for environment variable names which contain
++ shell functions. */
++#define FUNCDEF_PREFIX "BASH_FUNC_"
++#define FUNCDEF_PREFIX_LEN (strlen (FUNCDEF_PREFIX))
++#define FUNCDEF_SUFFIX "()"
++#define FUNCDEF_SUFFIX_LEN (strlen (FUNCDEF_SUFFIX))
++
++
+ /* Initialize the shell variables from the current environment.
+ If PRIVMODE is nonzero, don't import functions from ENV or
+ parse $SHELLOPTS. */
+@@ -338,27 +346,39 @@
+
+ /* If exported function, define it now. Don't import functions from
+ the environment in privileged mode. */
+- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
+- {
+- string_length = strlen (string);
+- temp_string = (char *)xmalloc (3 + string_length + char_index);
++ if (privmode == 0 && read_but_dont_execute == 0
++ && STREQN (FUNCDEF_PREFIX, name, FUNCDEF_PREFIX_LEN)
++ && STREQ (name + char_index - FUNCDEF_SUFFIX_LEN, FUNCDEF_SUFFIX)
++ && STREQN ("() {", string, 4))
++ {
++ size_t name_length
++ = char_index - (FUNCDEF_PREFIX_LEN + FUNCDEF_SUFFIX_LEN);
++ char *temp_name = name + FUNCDEF_PREFIX_LEN;
++ /* Temporarily remove the suffix. */
++ temp_name[name_length] = '\0';
+
+- strcpy (temp_string, name);
+- temp_string[char_index] = ' ';
+- strcpy (temp_string + char_index + 1, string);
++ string_length = strlen (string);
++ temp_string = (char *)xmalloc (name_length + 1 + string_length + 1);
++ memcpy (temp_string, temp_name, name_length);
++ temp_string[name_length] = ' ';
++ memcpy (temp_string + name_length + 1, string, string_length + 1);
+
+ /* Don't import function names that are invalid identifiers from the
+ environment. */
+- if (legal_identifier (name))
+- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
++ if (legal_identifier (temp_name))
++ parse_and_execute (temp_string, temp_name,
++ SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+
+- if (temp_var = find_function (name))
++ if (temp_var = find_function (temp_name))
+ {
+ VSETATTR (temp_var, (att_exported|att_imported));
+ array_needs_making = 1;
+ }
+ else
+ report_error (_("error importing function definition for `%s'"), name);
++
++ /* Restore the original suffix. */
++ temp_name[name_length] = FUNCDEF_SUFFIX[0];
+ }
+ #if defined (ARRAY_VARS)
+ # if 0
+@@ -2537,7 +2557,7 @@
+ var->context = variable_context; /* XXX */
+
+ INVALIDATE_EXPORTSTR (var);
+- var->exportstr = mk_env_string (name, value);
++ var->exportstr = mk_env_string (name, value, 0);
+
+ array_needs_making = 1;
+
+@@ -3388,22 +3408,43 @@
+ /* */
+ /* **************************************************************** */
+
++/* Returns the string NAME=VALUE if !FUNCTIONP or if VALUE == NULL (in
++ which case it is treated as empty). Otherwise, decorate NAME with
++ FUNCDEF_PREFIX and FUNCDEF_SUFFIX, and return a string of the form
++ FUNCDEF_PREFIX NAME FUNCDEF_SUFFIX = VALUE (without spaces). */
+ static inline char *
+-mk_env_string (name, value)
++mk_env_string (name, value, functionp)
+ const char *name, *value;
++ int functionp;
+ {
+- int name_len, value_len;
+- char *p;
++ size_t name_len, value_len;
++ char *p, *q;
+
+ name_len = strlen (name);
+ value_len = STRLEN (value);
+- p = (char *)xmalloc (2 + name_len + value_len);
+- strcpy (p, name);
+- p[name_len] = '=';
++ if (functionp && value != NULL)
++ {
++ p = (char *)xmalloc (FUNCDEF_PREFIX_LEN + name_len + FUNCDEF_SUFFIX_LEN
++ + 1 + value_len + 1);
++ q = p;
++ memcpy (q, FUNCDEF_PREFIX, FUNCDEF_PREFIX_LEN);
++ q += FUNCDEF_PREFIX_LEN;
++ memcpy (q, name, name_len);
++ q += name_len;
++ memcpy (q, FUNCDEF_SUFFIX, FUNCDEF_SUFFIX_LEN);
++ q += FUNCDEF_SUFFIX_LEN;
++ }
++ else
++ {
++ p = (char *)xmalloc (name_len + 1 + value_len + 1);
++ memcpy (p, name, name_len);
++ q = p + name_len;
++ }
++ q[0] = '=';
+ if (value && *value)
+- strcpy (p + name_len + 1, value);
++ memcpy (q + 1, value, value_len + 1);
+ else
+- p[name_len + 1] = '\0';
++ q[1] = '\0';
+ return (p);
+ }
+
+@@ -3489,7 +3530,7 @@
+ /* Gee, I'd like to get away with not using savestring() if we're
+ using the cached exportstr... */
+ list[list_index] = USE_EXPORTSTR ? savestring (value)
+- : mk_env_string (var->name, value);
++ : mk_env_string (var->name, value, function_p (var));
+
+ if (USE_EXPORTSTR == 0)
+ SAVE_EXPORTSTR (var, list[list_index]);
+
+