7186425 potential stack corruption in bash <= 4.2-033
authorStefan Teleman <stefan.teleman@oracle.com>
Tue, 24 Jul 2012 10:14:00 -0700
changeset 927 19eda0ce91e0
parent 926 de73cd5d7f7c
child 928 3d14753950e0
7186425 potential stack corruption in bash <= 4.2-033
components/bash/patches/bash41-010.patch
components/bash/patches/bash41-011.patch
components/bash/patches/solaris-016.eaccess.c.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bash/patches/bash41-010.patch	Tue Jul 24 10:14:00 2012 -0700
@@ -0,0 +1,68 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.1
+Patch-ID:	bash41-010
+
+Bug-Reported-by:	Stephane Jourdois <[email protected]>
+Bug-Reference-ID:	<[email protected]>
+Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2010-05/msg00165.html
+
+Bug-Description:
+
+The expansion of the \W prompt string escape sequence incorrectly used
+strcpy to copy overlapping strings.  Only memmove works in this case.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.1-patched/parse.y	2009-12-30 12:51:42.000000000 -0500
+--- parse.y	2011-02-24 16:40:48.000000000 -0500
+***************
+*** 5153,5157 ****
+  			t = strrchr (t_string, '/');
+  			if (t)
+! 			  strcpy (t_string, t + 1);
+  		      }
+  		  }
+--- 5153,5157 ----
+  			t = strrchr (t_string, '/');
+  			if (t)
+! 			  memmove (t_string, t + 1, strlen (t));
+  		      }
+  		  }
+*** ../bash-4.1-patched/y.tab.c	2009-12-30 12:52:02.000000000 -0500
+--- y.tab.c	2011-02-24 16:50:27.000000000 -0500
+***************
+*** 7482,7486 ****
+  			t = strrchr (t_string, '/');
+  			if (t)
+! 			  strcpy (t_string, t + 1);
+  		      }
+  		  }
+--- 7482,7486 ----
+  			t = strrchr (t_string, '/');
+  			if (t)
+! 			  memmove (t_string, t + 1, strlen (t));
+  		      }
+  		  }
+***************
+*** 8244,8246 ****
+  }
+  #endif /* HANDLE_MULTIBYTE */
+- 
+--- 8244,8245 ----
+*** ../bash-4.1-patched/patchlevel.h	2009-10-01 16:39:22.000000000 -0400
+--- patchlevel.h	2010-01-14 09:38:08.000000000 -0500
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 9
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 10
+  
+  #endif /* _PATCHLEVEL_H_ */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bash/patches/bash41-011.patch	Tue Jul 24 10:14:00 2012 -0700
@@ -0,0 +1,86 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.1
+Patch-ID:	bash41-011
+
+Bug-Reported-by:	<[email protected]>
+Bug-Reference-ID:	<[email protected]>
+Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2011-04/msg00075.html
+
+Bug-Description:
+
+Under certain circumstances, running `fc -l' two times in succession with a
+relative history offset at the end of the history will result in an incorrect
+calculation of the last history entry and a seg fault.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.1-patched/builtins/fc.def	2009-03-21 14:03:43.000000000 -0400
+--- builtins/fc.def	2011-04-19 15:46:17.000000000 -0400
+***************
+*** 304,307 ****
+--- 304,317 ----
+    last_hist = i - rh - hist_last_line_added;
+  
++   /* XXX */
++   if (i == last_hist && hlist[last_hist] == 0)
++     while (last_hist >= 0 && hlist[last_hist] == 0)
++       last_hist--;
++   if (last_hist < 0)
++     {
++       sh_erange ((char *)NULL, _("history specification"));
++       return (EXECUTION_FAILURE);
++     }
++ 
+    if (list)
+      {
+***************
+*** 466,470 ****
+  {
+    int sign, n, clen, rh;
+!   register int i, j;
+    register char *s;
+  
+--- 476,480 ----
+  {
+    int sign, n, clen, rh;
+!   register int i, j, last_hist;
+    register char *s;
+  
+***************
+*** 486,490 ****
+       calculation as if it were on. */
+    rh = remember_on_history || ((subshell_environment & SUBSHELL_COMSUB) && enable_history_list);
+!   i -= rh + hist_last_line_added;
+  
+    /* No specification defaults to most recent command. */
+--- 496,508 ----
+       calculation as if it were on. */
+    rh = remember_on_history || ((subshell_environment & SUBSHELL_COMSUB) && enable_history_list);
+!   last_hist = i - rh - hist_last_line_added;
+! 
+!   if (i == last_hist && hlist[last_hist] == 0)
+!     while (last_hist >= 0 && hlist[last_hist] == 0)
+!       last_hist--;
+!   if (last_hist < 0)
+!     return (-1);
+! 
+!   i = last_hist;
+  
+    /* No specification defaults to most recent command. */
+*** ../bash-4.1-patched/patchlevel.h	2009-10-01 16:39:22.000000000 -0400
+--- patchlevel.h	2010-01-14 09:38:08.000000000 -0500
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 10
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 11
+  
+  #endif /* _PATCHLEVEL_H_ */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bash/patches/solaris-016.eaccess.c.patch	Tue Jul 24 10:14:00 2012 -0700
@@ -0,0 +1,42 @@
+#
+# Backported to bash 4.1 from:
+# http://lists.gnu.org/archive/html/bug-bash/2012-07/msg00027.html
+# Also see:
+# https://bugzilla.redhat.com/show_bug.cgi?id=840091
+# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3410
+#
+--- lib/sh/eaccess.c	2008-08-12 08:50:01.000000000 -0700
++++ lib/sh/eaccess.c	2012-07-24 09:39:37.970186946 -0700
[email protected]@ -40,6 +40,10 @@
+ #if !defined (_POSIX_VERSION) && defined (HAVE_SYS_FILE_H)
+ #  include <sys/file.h>
+ #endif /* !_POSIX_VERSION */
++
++#include <string.h> /* memset(3C) */
++#include <limits.h> /* _XOPEN_PATH_MAX */
++
+ #include "posixstat.h"
+ #include "filecntl.h"
+ 
[email protected]@ -82,6 +86,8 @@
+      const char *path;
+      struct stat *finfo;
+ {
++  static char pbuf[_XOPEN_PATH_MAX + 1];
++
+   if (*path == '\0')
+     {
+       errno = ENOENT;
[email protected]@ -106,9 +112,10 @@
+      trailing slash.  Make sure /dev/fd/xx really uses DEV_FD_PREFIX/xx.
+      On most systems, with the notable exception of linux, this is
+      effectively a no-op. */
+-      char pbuf[32];
++      (void) memset (pbuf, '\0', sizeof(pbuf));
+       strcpy (pbuf, DEV_FD_PREFIX);
+-      strcat (pbuf, path + 8);
++      strncat (pbuf, path + 8,
++	      (size_t) (sizeof(pbuf) - sizeof(DEV_FD_PREFIX)));
+       return (stat (pbuf, finfo));
+ #endif /* !HAVE_DEV_FD */
+     }