19690348 problem in UTILITY/BASH s11u2-sru 0.175.2.3.0.4.0 S11.2SRU3.4
authorStefan Teleman <stefan.teleman@oracle.com>
Fri, 26 Sep 2014 07:32:09 -0700
branchs11u2-sru
changeset 3346 0e90925e4557
parent 3344 1b28b3179dc2
child 3352 b6f0ca4b5294
19690348 problem in UTILITY/BASH
components/bash/patches/parser-oob-4.1.patch
components/bash/patches/variables-affix-4.1.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bash/patches/parser-oob-4.1.patch	Fri Sep 26 07:32:09 2014 -0700
@@ -0,0 +1,87 @@
+# Patch Origin: http://www.openwall.com/lists/oss-security/2014/09/26/2
+# Patch is from Red Hat Security.
+# Assigned CVE-2014-7186 and CVE-2014-7187
+# CVSS Score: 4.6
+--- ../bash-4.1.orig/parse.y	2014-09-25 08:10:49.809021000 -0700
++++ parse.y	2014-09-25 11:33:15.596573700 -0700
[email protected]@ -261,9 +261,21 @@
+ 
+ /* Variables to manage the task of reading here documents, because we need to
+    defer the reading until after a complete command has been collected. */
+-static REDIRECT *redir_stack[10];
++static REDIRECT **redir_stack;
+ int need_here_doc;
+ 
++/* Pushes REDIR onto redir_stack, resizing it as needed. */
++static void
++push_redir_stack (REDIRECT *redir)
++{
++  /* Guard against oveflow. */
++  if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack))
++    abort ();
++  redir_stack = xrealloc (redir_stack,
++             (need_here_doc + 1) * sizeof (*redir_stack));
++  redir_stack[need_here_doc++] = redir;
++}
++
+ /* Where shell input comes from.  History expansion is performed on each
+    line when the shell is interactive. */
+ static char *shell_input_line = (char *)NULL;
[email protected]@ -516,42 +528,42 @@
+ 			  source.dest = 0;
+ 			  redir.filename = $2;
+ 			  $$ = make_redirection (source, r_reading_until, redir, 0);
+-			  redir_stack[need_here_doc++] = $$;
++                          push_redir_stack ($$);
+ 			}
+ 	|	NUMBER LESS_LESS WORD
+ 			{
+ 			  source.dest = $1;
+ 			  redir.filename = $3;
+ 			  $$ = make_redirection (source, r_reading_until, redir, 0);
+-			  redir_stack[need_here_doc++] = $$;
++                          push_redir_stack ($$);
+ 			}
+ 	|	REDIR_WORD LESS_LESS WORD
+ 			{
+ 			  source.filename = $1;
+ 			  redir.filename = $3;
+ 			  $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
+-			  redir_stack[need_here_doc++] = $$;
++                          push_redir_stack ($$);
+ 			}
+ 	|	LESS_LESS_MINUS WORD
+ 			{
+ 			  source.dest = 0;
+ 			  redir.filename = $2;
+ 			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+-			  redir_stack[need_here_doc++] = $$;
++                          push_redir_stack ($$);
+ 			}
+ 	|	NUMBER LESS_LESS_MINUS WORD
+ 			{
+ 			  source.dest = $1;
+ 			  redir.filename = $3;
+ 			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+-			  redir_stack[need_here_doc++] = $$;
++                          push_redir_stack ($$);
+ 			}
+ 	|	REDIR_WORD  LESS_LESS_MINUS WORD
+ 			{
+ 			  source.filename = $1;
+ 			  redir.filename = $3;
+ 			  $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
+-			  redir_stack[need_here_doc++] = $$;
++                          push_redir_stack ($$);
+ 			}
+ 	|	LESS_LESS_LESS WORD
+ 			{
[email protected]@ -4677,7 +4689,7 @@
+     case CASE:
+     case SELECT:
+     case FOR:
+-      if (word_top < MAX_CASE_NEST)
++      if ((word_top + 1) < MAX_CASE_NEST)
+ 	word_top++;
+       word_lineno[word_top] = line_number;
+       break;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bash/patches/variables-affix-4.1.patch	Fri Sep 26 07:32:09 2014 -0700
@@ -0,0 +1,153 @@
+# Patch Origin: http://www.openwall.com/lists/oss-security/2014/09/25/32
+# Patch is from Red Hat Security.
+# CVE-2014-7619
+# CVSS Score:10.0
+# This is an update to the previously released patchset for the same
+# vulnerability. The previous patch did NOT cover all possible attack
+# vectors.
+--- ../bash-4.1.orig/variables.c	2014-09-25 08:10:49.920709400 -0700
++++ variables.c	2014-09-25 11:59:38.642742000 -0700
[email protected]@ -268,7 +268,7 @@
+ static void propagate_temp_var __P((PTR_T));
+ static void dispose_temporary_env __P((sh_free_func_t *));     
+ 
+-static inline char *mk_env_string __P((const char *, const char *));
++static inline char *mk_env_string __P((const char *, const char *, int));
+ static char **make_env_array_from_var_list __P((SHELL_VAR **));
+ static char **make_var_export_array __P((VAR_CONTEXT *));
+ static char **make_func_export_array __P((void));
[email protected]@ -301,6 +301,14 @@
+ #endif
+ }
+ 
++/* Prefix and suffix for environment variable names which contain
++   shell functions. */
++#define FUNCDEF_PREFIX "BASH_FUNC_"
++#define FUNCDEF_PREFIX_LEN (strlen (FUNCDEF_PREFIX))
++#define FUNCDEF_SUFFIX "()"
++#define FUNCDEF_SUFFIX_LEN (strlen (FUNCDEF_SUFFIX))
++
++
+ /* Initialize the shell variables from the current environment.
+    If PRIVMODE is nonzero, don't import functions from ENV or
+    parse $SHELLOPTS. */
[email protected]@ -338,27 +346,39 @@
+ 
+       /* If exported function, define it now.  Don't import functions from
+ 	 the environment in privileged mode. */
+-      if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
+-	{
+-	  string_length = strlen (string);
+-	  temp_string = (char *)xmalloc (3 + string_length + char_index);
++      if (privmode == 0 && read_but_dont_execute == 0
++          && STREQN (FUNCDEF_PREFIX, name, FUNCDEF_PREFIX_LEN)
++          && STREQ (name + char_index - FUNCDEF_SUFFIX_LEN, FUNCDEF_SUFFIX)
++          && STREQN ("() {", string, 4))
++	{
++          size_t name_length
++            = char_index - (FUNCDEF_PREFIX_LEN + FUNCDEF_SUFFIX_LEN);
++          char *temp_name = name + FUNCDEF_PREFIX_LEN;
++          /* Temporarily remove the suffix. */
++          temp_name[name_length] = '\0';
+ 
+-	  strcpy (temp_string, name);
+-	  temp_string[char_index] = ' ';
+-	  strcpy (temp_string + char_index + 1, string);
++	  string_length = strlen (string);
++	  temp_string = (char *)xmalloc (name_length + 1 + string_length + 1);
++          memcpy (temp_string, temp_name, name_length);
++          temp_string[name_length] = ' ';
++          memcpy (temp_string + name_length + 1, string, string_length + 1);
+ 
+ 	  /* Don't import function names that are invalid identifiers from the
+ 	     environment. */
+-	  if (legal_identifier (name))
+-	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
++	  if (legal_identifier (temp_name))
++	    parse_and_execute (temp_string, temp_name,
++                SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+ 
+-	  if (temp_var = find_function (name))
++	  if (temp_var = find_function (temp_name))
+ 	    {
+ 	      VSETATTR (temp_var, (att_exported|att_imported));
+ 	      array_needs_making = 1;
+ 	    }
+ 	  else
+ 	    report_error (_("error importing function definition for `%s'"), name);
++
++          /* Restore the original suffix. */
++          temp_name[name_length] = FUNCDEF_SUFFIX[0];
+ 	}
+ #if defined (ARRAY_VARS)
+ #  if 0
[email protected]@ -2515,7 +2535,7 @@
+   var->context = variable_context;	/* XXX */
+ 
+   INVALIDATE_EXPORTSTR (var);
+-  var->exportstr = mk_env_string (name, value);
++  var->exportstr = mk_env_string (name, value, 0);
+ 
+   array_needs_making = 1;
+ 
[email protected]@ -3333,22 +3353,43 @@
+ /*								    */
+ /* **************************************************************** */
+ 
++/* Returns the string NAME=VALUE if !FUNCTIONP or if VALUE == NULL (in
++   which case it is treated as empty).  Otherwise, decorate NAME with
++   FUNCDEF_PREFIX and FUNCDEF_SUFFIX, and return a string of the form
++   FUNCDEF_PREFIX NAME FUNCDEF_SUFFIX = VALUE (without spaces).  */
+ static inline char *
+-mk_env_string (name, value)
++mk_env_string (name, value, functionp)
+      const char *name, *value;
++     int functionp;
+ {
+-  int name_len, value_len;
+-  char	*p;
++  size_t name_len, value_len;
++  char	*p, *q;
+ 
+   name_len = strlen (name);
+   value_len = STRLEN (value);
+-  p = (char *)xmalloc (2 + name_len + value_len);
+-  strcpy (p, name);
+-  p[name_len] = '=';
++  if (functionp && value != NULL)
++  {
++    p = (char *)xmalloc (FUNCDEF_PREFIX_LEN + name_len + FUNCDEF_SUFFIX_LEN
++        + 1 + value_len + 1);
++    q = p;
++    memcpy (q, FUNCDEF_PREFIX, FUNCDEF_PREFIX_LEN);
++    q += FUNCDEF_PREFIX_LEN;
++    memcpy (q, name, name_len);
++    q += name_len;
++    memcpy (q, FUNCDEF_SUFFIX, FUNCDEF_SUFFIX_LEN);
++    q += FUNCDEF_SUFFIX_LEN;
++  }
++  else
++  {
++    p = (char *)xmalloc (name_len + 1 + value_len + 1);
++    memcpy (p, name, name_len);
++    q = p + name_len;
++  }
++  q[0] = '=';
+   if (value && *value)
+-    strcpy (p + name_len + 1, value);
++    memcpy (q + 1, value, value_len + 1);
+   else
+-    p[name_len + 1] = '\0';
++    q[1] = '\0';
+   return (p);
+ }
+ 
[email protected]@ -3434,7 +3475,7 @@
+ 	  /* Gee, I'd like to get away with not using savestring() if we're
+ 	     using the cached exportstr... */
+ 	  list[list_index] = USE_EXPORTSTR ? savestring (value)
+-					   : mk_env_string (var->name, value);
++            : mk_env_string (var->name, value, function_p (var));
+ 
+ 	  if (USE_EXPORTSTR == 0)
+ 	    SAVE_EXPORTSTR (var, list[list_index]);