54a9495123
Fixes CVE-2017-5932 - Shell code execution on tab completion of specially crafted files. For details, see the report: https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf We unfortunately cannot easily download these because of the file names (not ending in patch) and patch format (p0), so convert to p1 format and include in package/bash with the following script: for i in 06 07 08 09 10 11 12; do cat > bash44-0$i.patch << EOF >From https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-0$i Signed-off-by: Peter Korsgaard <peter@korsgaard.com> EOF curl https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-0$i | \ sed -e 's|^\*\*\* \.\./|*** |' -e 's|^--- |--- b/|' >> bash44-0$i.patch done Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
166 lines
5.8 KiB
Diff
166 lines
5.8 KiB
Diff
From https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-012
|
|
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
|
|
BASH PATCH REPORT
|
|
=================
|
|
|
|
Bash-Release: 4.4
|
|
Patch-ID: bash44-012
|
|
|
|
Bug-Reported-by: Clark Wang <dearvoid@gmail.com>
|
|
Bug-Reference-ID: <CADv8-ojttPUFOZXqbjsvy83LfaJtQKZ5qejGdF6j0VJ3vtrYOA@mail.gmail.com>
|
|
Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2016-11/msg00106.html
|
|
|
|
Bug-Description:
|
|
|
|
When -N is used, the input is not supposed to be split using $IFS, but
|
|
leading and trailing IFS whitespace was still removed.
|
|
|
|
Patch (apply with `patch -p0'):
|
|
|
|
*** bash-4.4-patched/subst.c 2017-01-20 14:22:01.000000000 -0500
|
|
--- b/subst.c 2017-01-25 13:43:22.000000000 -0500
|
|
***************
|
|
*** 2826,2834 ****
|
|
/* Parse a single word from STRING, using SEPARATORS to separate fields.
|
|
ENDPTR is set to the first character after the word. This is used by
|
|
! the `read' builtin. This is never called with SEPARATORS != $IFS;
|
|
! it should be simplified.
|
|
|
|
XXX - this function is very similar to list_string; they should be
|
|
combined - XXX */
|
|
char *
|
|
get_word_from_string (stringp, separators, endptr)
|
|
--- b/2826,2838 ----
|
|
/* Parse a single word from STRING, using SEPARATORS to separate fields.
|
|
ENDPTR is set to the first character after the word. This is used by
|
|
! the `read' builtin.
|
|
!
|
|
! This is never called with SEPARATORS != $IFS, and takes advantage of that.
|
|
|
|
XXX - this function is very similar to list_string; they should be
|
|
combined - XXX */
|
|
+
|
|
+ #define islocalsep(c) (local_cmap[(unsigned char)(c)] != 0)
|
|
+
|
|
char *
|
|
get_word_from_string (stringp, separators, endptr)
|
|
***************
|
|
*** 2838,2841 ****
|
|
--- b/2842,2846 ----
|
|
char *current_word;
|
|
int sindex, sh_style_split, whitesep, xflags;
|
|
+ unsigned char local_cmap[UCHAR_MAX+1]; /* really only need single-byte chars here */
|
|
size_t slen;
|
|
|
|
***************
|
|
*** 2847,2854 ****
|
|
separators[2] == '\n' &&
|
|
separators[3] == '\0';
|
|
! for (xflags = 0, s = ifs_value; s && *s; s++)
|
|
{
|
|
if (*s == CTLESC) xflags |= SX_NOCTLESC;
|
|
if (*s == CTLNUL) xflags |= SX_NOESCCTLNUL;
|
|
}
|
|
|
|
--- b/2852,2861 ----
|
|
separators[2] == '\n' &&
|
|
separators[3] == '\0';
|
|
! memset (local_cmap, '\0', sizeof (local_cmap));
|
|
! for (xflags = 0, s = separators; s && *s; s++)
|
|
{
|
|
if (*s == CTLESC) xflags |= SX_NOCTLESC;
|
|
if (*s == CTLNUL) xflags |= SX_NOESCCTLNUL;
|
|
+ local_cmap[(unsigned char)*s] = 1; /* local charmap of separators */
|
|
}
|
|
|
|
***************
|
|
*** 2857,2864 ****
|
|
|
|
/* Remove sequences of whitespace at the beginning of STRING, as
|
|
! long as those characters appear in IFS. */
|
|
! if (sh_style_split || !separators || !*separators)
|
|
{
|
|
! for (; *s && spctabnl (*s) && isifs (*s); s++);
|
|
|
|
/* If the string is nothing but whitespace, update it and return. */
|
|
--- b/2864,2872 ----
|
|
|
|
/* Remove sequences of whitespace at the beginning of STRING, as
|
|
! long as those characters appear in SEPARATORS. This happens if
|
|
! SEPARATORS == $' \t\n' or if IFS is unset. */
|
|
! if (sh_style_split || separators == 0)
|
|
{
|
|
! for (; *s && spctabnl (*s) && islocalsep (*s); s++);
|
|
|
|
/* If the string is nothing but whitespace, update it and return. */
|
|
***************
|
|
*** 2879,2885 ****
|
|
This obeys the field splitting rules in Posix.2. */
|
|
sindex = 0;
|
|
! /* Don't need string length in ADVANCE_CHAR or string_extract_verbatim
|
|
! unless multibyte chars are possible. */
|
|
! slen = (MB_CUR_MAX > 1) ? STRLEN (s) : 1;
|
|
current_word = string_extract_verbatim (s, slen, &sindex, separators, xflags);
|
|
|
|
--- b/2887,2893 ----
|
|
This obeys the field splitting rules in Posix.2. */
|
|
sindex = 0;
|
|
! /* Don't need string length in ADVANCE_CHAR unless multibyte chars are
|
|
! possible, but need it in string_extract_verbatim for bounds checking */
|
|
! slen = STRLEN (s);
|
|
current_word = string_extract_verbatim (s, slen, &sindex, separators, xflags);
|
|
|
|
***************
|
|
*** 2900,2904 ****
|
|
/* Now skip sequences of space, tab, or newline characters if they are
|
|
in the list of separators. */
|
|
! while (s[sindex] && spctabnl (s[sindex]) && isifs (s[sindex]))
|
|
sindex++;
|
|
|
|
--- b/2908,2912 ----
|
|
/* Now skip sequences of space, tab, or newline characters if they are
|
|
in the list of separators. */
|
|
! while (s[sindex] && spctabnl (s[sindex]) && islocalsep (s[sindex]))
|
|
sindex++;
|
|
|
|
***************
|
|
*** 2907,2916 ****
|
|
delimiter, not a separate delimiter that would result in an empty field.
|
|
Look at POSIX.2, 3.6.5, (3)(b). */
|
|
! if (s[sindex] && whitesep && isifs (s[sindex]) && !spctabnl (s[sindex]))
|
|
{
|
|
sindex++;
|
|
/* An IFS character that is not IFS white space, along with any adjacent
|
|
IFS white space, shall delimit a field. */
|
|
! while (s[sindex] && spctabnl (s[sindex]) && isifs (s[sindex]))
|
|
sindex++;
|
|
}
|
|
--- b/2915,2924 ----
|
|
delimiter, not a separate delimiter that would result in an empty field.
|
|
Look at POSIX.2, 3.6.5, (3)(b). */
|
|
! if (s[sindex] && whitesep && islocalsep (s[sindex]) && !spctabnl (s[sindex]))
|
|
{
|
|
sindex++;
|
|
/* An IFS character that is not IFS white space, along with any adjacent
|
|
IFS white space, shall delimit a field. */
|
|
! while (s[sindex] && spctabnl (s[sindex]) && islocalsep(s[sindex]))
|
|
sindex++;
|
|
}
|
|
*** bash-4.4/patchlevel.h 2016-06-22 14:51:03.000000000 -0400
|
|
--- b/patchlevel.h 2016-10-01 11:01:28.000000000 -0400
|
|
***************
|
|
*** 26,30 ****
|
|
looks for to find the patch level (for the sccs version string). */
|
|
|
|
! #define PATCHLEVEL 11
|
|
|
|
#endif /* _PATCHLEVEL_H_ */
|
|
--- b/26,30 ----
|
|
looks for to find the patch level (for the sccs version string). */
|
|
|
|
! #define PATCHLEVEL 12
|
|
|
|
#endif /* _PATCHLEVEL_H_ */
|