kumquat-buildroot/package/bash/bash44-012.patch
Peter Korsgaard 54a9495123 bash: add upstream security fixes to patch level 12
Fixes CVE-2017-5932 - Shell code execution on tab completion of specially
crafted files. For details, see the report:

https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf

We unfortunately cannot easily download these because of the file names (not
ending in patch) and patch format (p0), so convert to p1 format and include
in package/bash with the following script:

for i in 06 07 08 09 10 11 12; do
	cat > bash44-0$i.patch << EOF
>From https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-0$i

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

EOF
	curl https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-0$i | \
		sed -e 's|^\*\*\* \.\./|*** |' -e 's|^--- |--- b/|' >> bash44-0$i.patch
done

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-02-08 09:46:13 +01:00

166 lines
5.8 KiB
Diff

From https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-012
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
BASH PATCH REPORT
=================
Bash-Release: 4.4
Patch-ID: bash44-012
Bug-Reported-by: Clark Wang <dearvoid@gmail.com>
Bug-Reference-ID: <CADv8-ojttPUFOZXqbjsvy83LfaJtQKZ5qejGdF6j0VJ3vtrYOA@mail.gmail.com>
Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2016-11/msg00106.html
Bug-Description:
When -N is used, the input is not supposed to be split using $IFS, but
leading and trailing IFS whitespace was still removed.
Patch (apply with `patch -p0'):
*** bash-4.4-patched/subst.c 2017-01-20 14:22:01.000000000 -0500
--- b/subst.c 2017-01-25 13:43:22.000000000 -0500
***************
*** 2826,2834 ****
/* Parse a single word from STRING, using SEPARATORS to separate fields.
ENDPTR is set to the first character after the word. This is used by
! the `read' builtin. This is never called with SEPARATORS != $IFS;
! it should be simplified.
XXX - this function is very similar to list_string; they should be
combined - XXX */
char *
get_word_from_string (stringp, separators, endptr)
--- b/2826,2838 ----
/* Parse a single word from STRING, using SEPARATORS to separate fields.
ENDPTR is set to the first character after the word. This is used by
! the `read' builtin.
!
! This is never called with SEPARATORS != $IFS, and takes advantage of that.
XXX - this function is very similar to list_string; they should be
combined - XXX */
+
+ #define islocalsep(c) (local_cmap[(unsigned char)(c)] != 0)
+
char *
get_word_from_string (stringp, separators, endptr)
***************
*** 2838,2841 ****
--- b/2842,2846 ----
char *current_word;
int sindex, sh_style_split, whitesep, xflags;
+ unsigned char local_cmap[UCHAR_MAX+1]; /* really only need single-byte chars here */
size_t slen;
***************
*** 2847,2854 ****
separators[2] == '\n' &&
separators[3] == '\0';
! for (xflags = 0, s = ifs_value; s && *s; s++)
{
if (*s == CTLESC) xflags |= SX_NOCTLESC;
if (*s == CTLNUL) xflags |= SX_NOESCCTLNUL;
}
--- b/2852,2861 ----
separators[2] == '\n' &&
separators[3] == '\0';
! memset (local_cmap, '\0', sizeof (local_cmap));
! for (xflags = 0, s = separators; s && *s; s++)
{
if (*s == CTLESC) xflags |= SX_NOCTLESC;
if (*s == CTLNUL) xflags |= SX_NOESCCTLNUL;
+ local_cmap[(unsigned char)*s] = 1; /* local charmap of separators */
}
***************
*** 2857,2864 ****
/* Remove sequences of whitespace at the beginning of STRING, as
! long as those characters appear in IFS. */
! if (sh_style_split || !separators || !*separators)
{
! for (; *s && spctabnl (*s) && isifs (*s); s++);
/* If the string is nothing but whitespace, update it and return. */
--- b/2864,2872 ----
/* Remove sequences of whitespace at the beginning of STRING, as
! long as those characters appear in SEPARATORS. This happens if
! SEPARATORS == $' \t\n' or if IFS is unset. */
! if (sh_style_split || separators == 0)
{
! for (; *s && spctabnl (*s) && islocalsep (*s); s++);
/* If the string is nothing but whitespace, update it and return. */
***************
*** 2879,2885 ****
This obeys the field splitting rules in Posix.2. */
sindex = 0;
! /* Don't need string length in ADVANCE_CHAR or string_extract_verbatim
! unless multibyte chars are possible. */
! slen = (MB_CUR_MAX > 1) ? STRLEN (s) : 1;
current_word = string_extract_verbatim (s, slen, &sindex, separators, xflags);
--- b/2887,2893 ----
This obeys the field splitting rules in Posix.2. */
sindex = 0;
! /* Don't need string length in ADVANCE_CHAR unless multibyte chars are
! possible, but need it in string_extract_verbatim for bounds checking */
! slen = STRLEN (s);
current_word = string_extract_verbatim (s, slen, &sindex, separators, xflags);
***************
*** 2900,2904 ****
/* Now skip sequences of space, tab, or newline characters if they are
in the list of separators. */
! while (s[sindex] && spctabnl (s[sindex]) && isifs (s[sindex]))
sindex++;
--- b/2908,2912 ----
/* Now skip sequences of space, tab, or newline characters if they are
in the list of separators. */
! while (s[sindex] && spctabnl (s[sindex]) && islocalsep (s[sindex]))
sindex++;
***************
*** 2907,2916 ****
delimiter, not a separate delimiter that would result in an empty field.
Look at POSIX.2, 3.6.5, (3)(b). */
! if (s[sindex] && whitesep && isifs (s[sindex]) && !spctabnl (s[sindex]))
{
sindex++;
/* An IFS character that is not IFS white space, along with any adjacent
IFS white space, shall delimit a field. */
! while (s[sindex] && spctabnl (s[sindex]) && isifs (s[sindex]))
sindex++;
}
--- b/2915,2924 ----
delimiter, not a separate delimiter that would result in an empty field.
Look at POSIX.2, 3.6.5, (3)(b). */
! if (s[sindex] && whitesep && islocalsep (s[sindex]) && !spctabnl (s[sindex]))
{
sindex++;
/* An IFS character that is not IFS white space, along with any adjacent
IFS white space, shall delimit a field. */
! while (s[sindex] && spctabnl (s[sindex]) && islocalsep(s[sindex]))
sindex++;
}
*** bash-4.4/patchlevel.h 2016-06-22 14:51:03.000000000 -0400
--- b/patchlevel.h 2016-10-01 11:01:28.000000000 -0400
***************
*** 26,30 ****
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 11
#endif /* _PATCHLEVEL_H_ */
--- b/26,30 ----
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 12
#endif /* _PATCHLEVEL_H_ */