From a01f169fa9c8d124e8448f77d2bb0138abaa39ff Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 01 2017 03:19:55 +0000 Subject: import bash-4.2.46-28.el7 --- diff --git a/SOURCES/bash-4.2-leak-compound.patch b/SOURCES/bash-4.2-leak-compound.patch new file mode 100644 index 0000000..a249084 --- /dev/null +++ b/SOURCES/bash-4.2-leak-compound.patch @@ -0,0 +1,12 @@ +diff -up bash-4.2/subst.c.old bash-4.2/subst.c +--- bash-4.2/subst.c.old 2015-12-09 13:24:47.369738319 +0100 ++++ bash-4.2/subst.c 2015-12-09 13:28:27.366024824 +0100 +@@ -2713,6 +2713,8 @@ do_compound_assignment (name, value, fla + else if (v == 0 || (array_p (v) == 0 && assoc_p (v) == 0) || v->context != variable_context) + v = make_local_array_variable (name); + assign_compound_array_list (v, list, flags); ++ if (list) ++ dispose_words (list); + } + else + v = assign_array_from_string (name, value, flags); diff --git a/SOURCES/bash-4.2-missing-opt-cd.patch b/SOURCES/bash-4.2-missing-opt-cd.patch new file mode 100644 index 0000000..5cf27cc --- /dev/null +++ b/SOURCES/bash-4.2-missing-opt-cd.patch @@ -0,0 +1,12 @@ +diff -up bash-4.2/builtins/cd.def.old bash-4.2/builtins/cd.def +--- bash-4.2/builtins/cd.def.old 2015-12-09 11:47:59.113106805 +0100 ++++ bash-4.2/builtins/cd.def 2015-12-09 11:48:13.702060840 +0100 +@@ -200,7 +200,7 @@ cd_builtin (list) + eflag = 0; + no_symlinks = no_symbolic_links; + reset_internal_getopt (); +- while ((opt = internal_getopt (list, "LP")) != -1) ++ while ((opt = internal_getopt (list, "LPe")) != -1) + { + switch (opt) + { diff --git a/SOURCES/bash-4.3-cve-2016-0634.patch b/SOURCES/bash-4.3-cve-2016-0634.patch new file mode 100644 index 0000000..21b821c --- /dev/null +++ b/SOURCES/bash-4.3-cve-2016-0634.patch @@ -0,0 +1,95 @@ +diff --git a/parse.y b/parse.y +index 12d6def..d4a93a2 100644 +--- a/parse.y ++++ b/parse.y +@@ -5103,7 +5103,7 @@ decode_prompt_string (string) + size_t result_size; + int result_index; + int c, n, i; +- char *temp, octal_string[4]; ++ char *temp, *t_host, octal_string[4]; + struct tm *tm; + time_t the_time; + char timebuf[128]; +@@ -5251,7 +5251,11 @@ decode_prompt_string (string) + + case 's': + temp = base_pathname (shell_name); +- temp = savestring (temp); ++ /* Try to quote anything the user can set in the file system */ ++ if (promptvars || posixly_correct) ++ temp = sh_backslash_quote_for_double_quotes (temp); ++ else ++ temp = savestring (temp); + goto add_string; + + case 'v': +@@ -5337,9 +5341,17 @@ decode_prompt_string (string) + + case 'h': + case 'H': +- temp = savestring (current_host_name); +- if (c == 'h' && (t = (char *)strchr (temp, '.'))) ++ t_host = savestring (current_host_name); ++ if (c == 'h' && (t = (char *)strchr (t_host, '.'))) + *t = '\0'; ++ if (promptvars || posixly_correct) ++ /* Make sure that expand_prompt_string is called with a ++ second argument of Q_DOUBLE_QUOTES if we use this ++ function here. */ ++ temp = sh_backslash_quote_for_double_quotes (t_host); ++ else ++ temp = savestring (t_host); ++ free (t_host); + goto add_string; + + case '#': +diff --git a/y.tab.c b/y.tab.c +index 23b88bc..1c0f5a1 100644 +--- a/y.tab.c ++++ b/y.tab.c +@@ -7368,7 +7368,7 @@ decode_prompt_string (string) + size_t result_size; + int result_index; + int c, n, i; +- char *temp, octal_string[4]; ++ char *temp, *t_host, octal_string[4]; + struct tm *tm; + time_t the_time; + char timebuf[128]; +@@ -7513,7 +7513,11 @@ decode_prompt_string (string) + + case 's': + temp = base_pathname (shell_name); +- temp = savestring (temp); ++ /* Try to quote anything the user can set in the file system */ ++ if (promptvars || posixly_correct) ++ temp = sh_backslash_quote_for_double_quotes (temp); ++ else ++ temp = savestring (temp); + goto add_string; + + case 'v': +@@ -7599,9 +7603,17 @@ decode_prompt_string (string) + + case 'h': + case 'H': +- temp = savestring (current_host_name); +- if (c == 'h' && (t = (char *)strchr (temp, '.'))) ++ t_host = savestring (current_host_name); ++ if (c == 'h' && (t = (char *)strchr (t_host, '.'))) + *t = '\0'; ++ if (promptvars || posixly_correct) ++ /* Make sure that expand_prompt_string is called with a ++ second argument of Q_DOUBLE_QUOTES if we use this ++ function here. */ ++ temp = sh_backslash_quote_for_double_quotes (t_host); ++ else ++ temp = savestring (t_host); ++ free (t_host); + goto add_string; + + case '#': +-- +2.9.3 + diff --git a/SOURCES/bash-4.3-cve-2016-7543.patch b/SOURCES/bash-4.3-cve-2016-7543.patch new file mode 100644 index 0000000..81ee471 --- /dev/null +++ b/SOURCES/bash-4.3-cve-2016-7543.patch @@ -0,0 +1,20 @@ +diff --git a/variables.c b/variables.c +index b7ebaea..5e2986f 100644 +--- a/variables.c ++++ b/variables.c +@@ -467,7 +467,11 @@ initialize_shell_variables (env, privmode) + #endif + set_if_not ("PS2", secondary_prompt); + } +- set_if_not ("PS4", "+ "); ++ ++ if (current_user.euid == 0) ++ bind_variable ("PS4", "+ ", 0); ++ else ++ set_if_not ("PS4", "+ "); + + /* Don't allow IFS to be imported from the environment. */ + temp_var = bind_variable ("IFS", " \t\n", 0); +-- +2.9.3 + diff --git a/SOURCES/bash-4.4-param-expansion.patch b/SOURCES/bash-4.4-param-expansion.patch new file mode 100644 index 0000000..555477f --- /dev/null +++ b/SOURCES/bash-4.4-param-expansion.patch @@ -0,0 +1,73 @@ +diff --git a/parse.y b/parse.y +index 9a78d0c..7df7d99 100644 +--- a/parse.y ++++ b/parse.y +@@ -4993,7 +4993,8 @@ decode_prompt_string (string) + struct dstack save_dstack; + int last_exit_value, last_comsub_pid; + #if defined (PROMPT_STRING_DECODE) +- int result_size, result_index; ++ size_t result_size; ++ int result_index; + int c, n, i; + char *temp, octal_string[4]; + struct tm *tm; +diff --git a/subst.c b/subst.c +index 9f15f0b..e5ffd03 100644 +--- a/subst.c ++++ b/subst.c +@@ -644,11 +644,13 @@ unquoted_substring (substr, string) + INLINE char * + sub_append_string (source, target, indx, size) + char *source, *target; +- int *indx, *size; ++ int *indx; ++ size_t *size; + { + if (source) + { +- int srclen, n; ++ int n; ++ size_t srclen; + + srclen = STRLEN (source); + if (srclen >= (int)(*size - *indx)) +@@ -7676,7 +7678,7 @@ expand_word_internal (word, quoted, isexp, contains_dollar_at, expanded_somethin + char *istring; + + /* The current size of the above object. */ +- int istring_size; ++ size_t istring_size; + + /* Index into ISTRING. */ + int istring_index; +diff --git a/subst.h b/subst.h +index b06e8c2..fc66faf 100644 +--- a/subst.h ++++ b/subst.h +@@ -127,7 +127,7 @@ extern int do_word_assignment __P((WORD_DESC *)); + of space allocated to TARGET. SOURCE can be NULL, in which + case nothing happens. Gets rid of SOURCE by free ()ing it. + Returns TARGET in case the location has changed. */ +-extern char *sub_append_string __P((char *, char *, int *, int *)); ++extern char *sub_append_string __P((char *, char *, int *, size_t *)); + + /* Append the textual representation of NUMBER to TARGET. + INDEX and SIZE are as in SUB_APPEND_STRING. */ +diff --git a/y.tab.c b/y.tab.c +index d702554..31faa4a 100644 +--- a/y.tab.c ++++ b/y.tab.c +@@ -7280,7 +7280,8 @@ decode_prompt_string (string) + struct dstack save_dstack; + int last_exit_value, last_comsub_pid; + #if defined (PROMPT_STRING_DECODE) +- int result_size, result_index; ++ size_t result_size; ++ int result_index; + int c, n, i; + char *temp, octal_string[4]; + struct tm *tm; +-- +2.5.5 + diff --git a/SOURCES/bash-4.4-pipeline-pgrp.patch b/SOURCES/bash-4.4-pipeline-pgrp.patch new file mode 100644 index 0000000..860cd1b --- /dev/null +++ b/SOURCES/bash-4.4-pipeline-pgrp.patch @@ -0,0 +1,17 @@ +diff --git a/subst.c b/subst.c +index 1dbfb5e..049962e 100644 +--- a/subst.c ++++ b/subst.c +@@ -5011,7 +5011,8 @@ process_substitute (string, open_for_read_in_child) + + #if defined (JOB_CONTROL) + old_pipeline_pgrp = pipeline_pgrp; +- pipeline_pgrp = shell_pgrp; ++ if (pipeline_pgrp == 0 || (subshell_environment & (SUBSHELL_PIPE|SUBSHELL_FORK|SUBSHELL_ASYNC)) == 0) ++ pipeline_pgrp = shell_pgrp; + save_pipeline (1); + #endif /* JOB_CONTROL */ + +-- +2.9.3 + diff --git a/SOURCES/bash-cve-2016-9401.patch b/SOURCES/bash-cve-2016-9401.patch new file mode 100644 index 0000000..69eb9d7 --- /dev/null +++ b/SOURCES/bash-cve-2016-9401.patch @@ -0,0 +1,28 @@ +diff --git a/builtins/pushd.def b/builtins/pushd.def +index 05b7529..4eb0132 100644 +--- a/builtins/pushd.def ++++ b/builtins/pushd.def +@@ -353,7 +353,7 @@ popd_builtin (list) + break; + } + +- if (which > directory_list_offset || (directory_list_offset == 0 && which == 0)) ++ if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0)) + { + pushd_error (directory_list_offset, which_word ? which_word : ""); + return (EXECUTION_FAILURE); +@@ -375,6 +375,11 @@ popd_builtin (list) + remove that directory from the list and shift the remainder + of the list into place. */ + i = (direction == '+') ? directory_list_offset - which : which; ++ if (i < 0 || i > directory_list_offset) ++ { ++ pushd_error (directory_list_offset, which_word ? which_word : ""); ++ return (EXECUTION_FAILURE); ++ } + free (pushd_directory_list[i]); + directory_list_offset--; + +-- +2.9.3 + diff --git a/SPECS/bash.spec b/SPECS/bash.spec index 922b2b6..8629605 100644 --- a/SPECS/bash.spec +++ b/SPECS/bash.spec @@ -6,7 +6,7 @@ Version: %{baseversion}%{patchleveltag} Name: bash Summary: The GNU Bourne Again shell -Release: 21%{?dist} +Release: 28%{?dist} Group: System Environment/Shells License: GPLv3+ Url: http://www.gnu.org/software/bash @@ -165,9 +165,30 @@ Patch142: bash-4.2-enable-hyphened-fn-export.patch #1326302 Patch143: fix-shopt-lastpipe-mode-crash.patch -#1384521 +#1372806 Patch144: bash-4.3-trapped-signals.patch +#1403255 +Patch145: bash-4.4-param-expansion.patch + +#1377496 +Patch146: bash-4.4-pipeline-pgrp.patch + +#1267478 +Patch147: bash-4.2-missing-opt-cd.patch + +#1264101 - Plug a leak related to compound assignments +Patch148: bash-4.2-leak-compound.patch + +#1379237 +Patch149: bash-4.3-cve-2016-0634.patch + +#1426026 +Patch150: bash-4.3-cve-2016-7543.patch + +#1429838 +Patch151: bash-cve-2016-9401.patch + BuildRequires: texinfo bison BuildRequires: ncurses-devel BuildRequires: autoconf, gettext @@ -290,6 +311,13 @@ This package contains documentation files for %{name}. %patch142 -p0 -b .export %patch143 -p1 -b .fix-shopt-lastpipe-mode %patch144 -p1 -b .trapped-signals +%patch145 -p1 -b .param-expansion +%patch146 -p1 -b .pipeline-pgrp +%patch147 -p1 -b .cd-e +%patch148 -p1 -b .leak-compound +%patch149 -p1 -b .cve-2016-0634 +%patch150 -p1 -b .cve-2016-7543 +%patch151 -p1 -b .cve-2016-9401 echo %{version} > _distribution echo %{release} > _patchlevel @@ -482,9 +510,37 @@ end #%doc doc/*.ps doc/*.0 doc/*.html doc/article.txt %changelog +* Tue Mar 07 2017 Kamil Dudka - 4.2.46-26 +- CVE-2016-0634: Fix for arbitrary code execution via malicious hostname + Resolves: #1379237 + +* Thu Feb 09 2017 Siteshwar Vashisht - 4.2.46-25 +- Plug a leak related to compound assignments + Resolves: #1264101 + +* Thu Feb 09 2017 Siteshwar Vashisht - 4.2.46-24 +- Recognize cd -e + Resolves: #1267478 + +* Thu Feb 09 2017 Siteshwar Vashisht - 4.2.46-23 +- Add a condition before setting pipeline_pgrp to shell_pgrp + Resolves: #1377496 + +* Thu Feb 09 2017 Siteshwar Vashisht - 4.2.46-22 +- Avoid crash in parameter expansion while expanding long strings + Resolves: #1403255 + * Wed Oct 12 2016 Siteshwar Vashisht - 4.2.46-21 - Fix a crash in trap signal handling - Resolves: #1384521 + Resolves: #1372806 * Tue Jul 12 2016 Siteshwar Vashisht - 4.2.46-20 - Fix a crash when lastpipe mode is enabled