kumquat-buildroot/package/bash/bash44-009.patch
Peter Korsgaard 54a9495123 bash: add upstream security fixes to patch level 12
Fixes CVE-2017-5932 - Shell code execution on tab completion of specially
crafted files. For details, see the report:

https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf

We unfortunately cannot easily download these because of the file names (not
ending in patch) and patch format (p0), so convert to p1 format and include
in package/bash with the following script:

for i in 06 07 08 09 10 11 12; do
	cat > bash44-0$i.patch << EOF
>From https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-0$i

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

EOF
	curl https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-0$i | \
		sed -e 's|^\*\*\* \.\./|*** |' -e 's|^--- |--- b/|' >> bash44-0$i.patch
done

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-02-08 09:46:13 +01:00

112 lines
3.2 KiB
Diff

From https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-009
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
BASH PATCH REPORT
=================
Bash-Release: 4.4
Patch-ID: bash44-009
Bug-Reported-by: Hong Cho <hong.cho@citrix.com>
Bug-Reference-ID: <c30b5fe62b2543af8297e47ca487c29c@SJCPEX02CL02.citrite.net>
Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2016-12/msg00043.html
Bug-Description:
There is a race condition in add_history() that can be triggered by a fatal
signal arriving between the time the history length is updated and the time
the history list update is completed. A later attempt to reference an
invalid history entry can cause a crash.
Patch (apply with `patch -p0'):
*** bash-4.4-patched/lib/readline/history.c 2016-11-11 13:42:49.000000000 -0500
--- b/lib/readline/history.c 2016-12-05 10:37:51.000000000 -0500
***************
*** 280,283 ****
--- b/280,284 ----
{
HIST_ENTRY *temp;
+ int new_length;
if (history_stifled && (history_length == history_max_entries))
***************
*** 296,306 ****
/* Copy the rest of the entries, moving down one slot. Copy includes
trailing NULL. */
- #if 0
- for (i = 0; i < history_length; i++)
- the_history[i] = the_history[i + 1];
- #else
memmove (the_history, the_history + 1, history_length * sizeof (HIST_ENTRY *));
- #endif
history_base++;
}
--- b/297,303 ----
/* Copy the rest of the entries, moving down one slot. Copy includes
trailing NULL. */
memmove (the_history, the_history + 1, history_length * sizeof (HIST_ENTRY *));
+ new_length = history_length;
history_base++;
}
***************
*** 316,320 ****
history_size = DEFAULT_HISTORY_INITIAL_SIZE;
the_history = (HIST_ENTRY **)xmalloc (history_size * sizeof (HIST_ENTRY *));
! history_length = 1;
}
else
--- b/313,317 ----
history_size = DEFAULT_HISTORY_INITIAL_SIZE;
the_history = (HIST_ENTRY **)xmalloc (history_size * sizeof (HIST_ENTRY *));
! new_length = 1;
}
else
***************
*** 326,330 ****
xrealloc (the_history, history_size * sizeof (HIST_ENTRY *));
}
! history_length++;
}
}
--- b/323,327 ----
xrealloc (the_history, history_size * sizeof (HIST_ENTRY *));
}
! new_length = history_length + 1;
}
}
***************
*** 332,337 ****
temp = alloc_history_entry ((char *)string, hist_inittime ());
! the_history[history_length] = (HIST_ENTRY *)NULL;
! the_history[history_length - 1] = temp;
}
--- b/329,335 ----
temp = alloc_history_entry ((char *)string, hist_inittime ());
! the_history[new_length] = (HIST_ENTRY *)NULL;
! the_history[new_length - 1] = temp;
! history_length = new_length;
}
*** bash-4.4/patchlevel.h 2016-06-22 14:51:03.000000000 -0400
--- b/patchlevel.h 2016-10-01 11:01:28.000000000 -0400
***************
*** 26,30 ****
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 8
#endif /* _PATCHLEVEL_H_ */
--- b/26,30 ----
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 9
#endif /* _PATCHLEVEL_H_ */