# HG changeset patch # User Stefan Teleman # Date 1343150040 25200 # Node ID 19eda0ce91e01a15703471cd68b9e1743f35e5b0 # Parent de73cd5d7f7cf587c4dbffd40cb8da4274109e4c 7186425 potential stack corruption in bash <= 4.2-033 diff -r de73cd5d7f7c -r 19eda0ce91e0 components/bash/patches/bash41-010.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/bash/patches/bash41-010.patch Tue Jul 24 10:14:00 2012 -0700 @@ -0,0 +1,68 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.1 +Patch-ID: bash41-010 + +Bug-Reported-by: Stephane Jourdois +Bug-Reference-ID: +Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2010-05/msg00165.html + +Bug-Description: + +The expansion of the \W prompt string escape sequence incorrectly used +strcpy to copy overlapping strings. Only memmove works in this case. + +Patch (apply with `patch -p0'): + +*** ../bash-4.1-patched/parse.y 2009-12-30 12:51:42.000000000 -0500 +--- parse.y 2011-02-24 16:40:48.000000000 -0500 +*************** +*** 5153,5157 **** + t = strrchr (t_string, '/'); + if (t) +! strcpy (t_string, t + 1); + } + } +--- 5153,5157 ---- + t = strrchr (t_string, '/'); + if (t) +! memmove (t_string, t + 1, strlen (t)); + } + } +*** ../bash-4.1-patched/y.tab.c 2009-12-30 12:52:02.000000000 -0500 +--- y.tab.c 2011-02-24 16:50:27.000000000 -0500 +*************** +*** 7482,7486 **** + t = strrchr (t_string, '/'); + if (t) +! strcpy (t_string, t + 1); + } + } +--- 7482,7486 ---- + t = strrchr (t_string, '/'); + if (t) +! memmove (t_string, t + 1, strlen (t)); + } + } +*************** +*** 8244,8246 **** + } + #endif /* HANDLE_MULTIBYTE */ +- +--- 8244,8245 ---- +*** ../bash-4.1-patched/patchlevel.h 2009-10-01 16:39:22.000000000 -0400 +--- patchlevel.h 2010-01-14 09:38:08.000000000 -0500 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 9 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 10 + + #endif /* _PATCHLEVEL_H_ */ diff -r de73cd5d7f7c -r 19eda0ce91e0 components/bash/patches/bash41-011.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/bash/patches/bash41-011.patch Tue Jul 24 10:14:00 2012 -0700 @@ -0,0 +1,86 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.1 +Patch-ID: bash41-011 + +Bug-Reported-by: +Bug-Reference-ID: <4DAAC0DB.7060606@piumalab.org> +Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2011-04/msg00075.html + +Bug-Description: + +Under certain circumstances, running `fc -l' two times in succession with a +relative history offset at the end of the history will result in an incorrect +calculation of the last history entry and a seg fault. + +Patch (apply with `patch -p0'): + +*** ../bash-4.1-patched/builtins/fc.def 2009-03-21 14:03:43.000000000 -0400 +--- builtins/fc.def 2011-04-19 15:46:17.000000000 -0400 +*************** +*** 304,307 **** +--- 304,317 ---- + last_hist = i - rh - hist_last_line_added; + ++ /* XXX */ ++ if (i == last_hist && hlist[last_hist] == 0) ++ while (last_hist >= 0 && hlist[last_hist] == 0) ++ last_hist--; ++ if (last_hist < 0) ++ { ++ sh_erange ((char *)NULL, _("history specification")); ++ return (EXECUTION_FAILURE); ++ } ++ + if (list) + { +*************** +*** 466,470 **** + { + int sign, n, clen, rh; +! register int i, j; + register char *s; + +--- 476,480 ---- + { + int sign, n, clen, rh; +! register int i, j, last_hist; + register char *s; + +*************** +*** 486,490 **** + calculation as if it were on. */ + rh = remember_on_history || ((subshell_environment & SUBSHELL_COMSUB) && enable_history_list); +! i -= rh + hist_last_line_added; + + /* No specification defaults to most recent command. */ +--- 496,508 ---- + calculation as if it were on. */ + rh = remember_on_history || ((subshell_environment & SUBSHELL_COMSUB) && enable_history_list); +! last_hist = i - rh - hist_last_line_added; +! +! if (i == last_hist && hlist[last_hist] == 0) +! while (last_hist >= 0 && hlist[last_hist] == 0) +! last_hist--; +! if (last_hist < 0) +! return (-1); +! +! i = last_hist; + + /* No specification defaults to most recent command. */ +*** ../bash-4.1-patched/patchlevel.h 2009-10-01 16:39:22.000000000 -0400 +--- patchlevel.h 2010-01-14 09:38:08.000000000 -0500 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 10 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 11 + + #endif /* _PATCHLEVEL_H_ */ diff -r de73cd5d7f7c -r 19eda0ce91e0 components/bash/patches/solaris-016.eaccess.c.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/bash/patches/solaris-016.eaccess.c.patch Tue Jul 24 10:14:00 2012 -0700 @@ -0,0 +1,42 @@ +# +# Backported to bash 4.1 from: +# http://lists.gnu.org/archive/html/bug-bash/2012-07/msg00027.html +# Also see: +# https://bugzilla.redhat.com/show_bug.cgi?id=840091 +# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3410 +# +--- lib/sh/eaccess.c 2008-08-12 08:50:01.000000000 -0700 ++++ lib/sh/eaccess.c 2012-07-24 09:39:37.970186946 -0700 +@@ -40,6 +40,10 @@ + #if !defined (_POSIX_VERSION) && defined (HAVE_SYS_FILE_H) + # include + #endif /* !_POSIX_VERSION */ ++ ++#include /* memset(3C) */ ++#include /* _XOPEN_PATH_MAX */ ++ + #include "posixstat.h" + #include "filecntl.h" + +@@ -82,6 +86,8 @@ + const char *path; + struct stat *finfo; + { ++ static char pbuf[_XOPEN_PATH_MAX + 1]; ++ + if (*path == '\0') + { + errno = ENOENT; +@@ -106,9 +112,10 @@ + trailing slash. Make sure /dev/fd/xx really uses DEV_FD_PREFIX/xx. + On most systems, with the notable exception of linux, this is + effectively a no-op. */ +- char pbuf[32]; ++ (void) memset (pbuf, '\0', sizeof(pbuf)); + strcpy (pbuf, DEV_FD_PREFIX); +- strcat (pbuf, path + 8); ++ strncat (pbuf, path + 8, ++ (size_t) (sizeof(pbuf) - sizeof(DEV_FD_PREFIX))); + return (stat (pbuf, finfo)); + #endif /* !HAVE_DEV_FD */ + }