|
 |
104d6b |
From 73eade866e0f1685749c0ec50f49fed0cca0c503 Mon Sep 17 00:00:00 2001
|
|
|
104d6b |
From: "Barton E. Schaefer" <schaefer@zsh.org>
|
|
|
104d6b |
Date: Fri, 25 Dec 2015 00:31:32 -0800
|
|
|
104d6b |
Subject: [PATCH 1/2] 37435 (+ fix typo): allow execution of empty files as
|
|
|
104d6b |
"sh" scripts
|
|
|
104d6b |
|
|
|
104d6b |
Upstream-commit: fc344465f27cdf89664a64fb157b7606c9eb837f
|
|
|
104d6b |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
104d6b |
---
|
|
|
104d6b |
Src/exec.c | 3 ++-
|
|
|
104d6b |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
104d6b |
|
|
|
104d6b |
diff --git a/Src/exec.c b/Src/exec.c
|
|
|
104d6b |
index b9ffb35..f20b96c 100644
|
|
|
104d6b |
--- a/Src/exec.c
|
|
|
104d6b |
+++ b/Src/exec.c
|
|
|
104d6b |
@@ -465,9 +465,10 @@ zexecve(char *pth, char **argv, char **newenvp)
|
|
|
104d6b |
if ((fd = open(pth, O_RDONLY|O_NOCTTY)) >= 0) {
|
|
|
104d6b |
argv0 = *argv;
|
|
|
104d6b |
*argv = pth;
|
|
|
104d6b |
+ execvebuf[0] = '\0';
|
|
|
104d6b |
ct = read(fd, execvebuf, POUNDBANGLIMIT);
|
|
|
104d6b |
close(fd);
|
|
|
104d6b |
- if (ct > 0) {
|
|
|
104d6b |
+ if (ct >= 0) {
|
|
|
104d6b |
if (execvebuf[0] == '#') {
|
|
|
104d6b |
if (execvebuf[1] == '!') {
|
|
|
104d6b |
for (t0 = 0; t0 != ct; t0++)
|
|
|
104d6b |
--
|
|
|
104d6b |
2.17.2
|
|
|
104d6b |
|
|
|
104d6b |
|
|
|
104d6b |
From ddb6c5b4c0ab9c6a7404112d367f0c7cc400ceec Mon Sep 17 00:00:00 2001
|
|
|
104d6b |
From: Anthony Sottile <asottile@umich.edu>
|
|
|
104d6b |
Date: Mon, 3 Sep 2018 14:39:25 +0000
|
|
|
104d6b |
Subject: [PATCH 2/2] CVE-2018-0502, CVE-2018-13259: Fix two security issues in
|
|
|
104d6b |
shebang line parsing.
|
|
|
104d6b |
|
|
|
104d6b |
See NEWS for more information.
|
|
|
104d6b |
|
|
|
104d6b |
Patch by Anthony Sottile and Buck Evan.
|
|
|
104d6b |
|
|
|
104d6b |
Upstream-commit: 1c4c7b6a4d17294df028322b70c53803a402233d
|
|
|
104d6b |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
104d6b |
---
|
|
|
104d6b |
Src/exec.c | 32 ++++++++++++++++++--------------
|
|
|
104d6b |
Test/A05execution.ztst | 22 ++++++++++++++++++++++
|
|
|
104d6b |
2 files changed, 40 insertions(+), 14 deletions(-)
|
|
|
104d6b |
|
|
|
104d6b |
diff --git a/Src/exec.c b/Src/exec.c
|
|
|
104d6b |
index f20b96c..c95667e 100644
|
|
|
104d6b |
--- a/Src/exec.c
|
|
|
104d6b |
+++ b/Src/exec.c
|
|
|
104d6b |
@@ -427,7 +427,7 @@ execcursh(Estate state, int do_exec)
|
|
|
104d6b |
|
|
|
104d6b |
/* execve after handling $_ and #! */
|
|
|
104d6b |
|
|
|
104d6b |
-#define POUNDBANGLIMIT 64
|
|
|
104d6b |
+#define POUNDBANGLIMIT 128
|
|
|
104d6b |
|
|
|
104d6b |
/**/
|
|
|
104d6b |
static int
|
|
|
104d6b |
@@ -465,18 +465,20 @@ zexecve(char *pth, char **argv, char **newenvp)
|
|
|
104d6b |
if ((fd = open(pth, O_RDONLY|O_NOCTTY)) >= 0) {
|
|
|
104d6b |
argv0 = *argv;
|
|
|
104d6b |
*argv = pth;
|
|
|
104d6b |
- execvebuf[0] = '\0';
|
|
|
104d6b |
+ memset(execvebuf, '\0', POUNDBANGLIMIT + 1);
|
|
|
104d6b |
ct = read(fd, execvebuf, POUNDBANGLIMIT);
|
|
|
104d6b |
close(fd);
|
|
|
104d6b |
if (ct >= 0) {
|
|
|
104d6b |
- if (execvebuf[0] == '#') {
|
|
|
104d6b |
- if (execvebuf[1] == '!') {
|
|
|
104d6b |
- for (t0 = 0; t0 != ct; t0++)
|
|
|
104d6b |
- if (execvebuf[t0] == '\n')
|
|
|
104d6b |
- break;
|
|
|
104d6b |
+ if (ct >= 2 && execvebuf[0] == '#' && execvebuf[1] == '!') {
|
|
|
104d6b |
+ for (t0 = 0; t0 != ct; t0++)
|
|
|
104d6b |
+ if (execvebuf[t0] == '\n')
|
|
|
104d6b |
+ break;
|
|
|
104d6b |
+ if (t0 == ct)
|
|
|
104d6b |
+ zerr("%s: bad interpreter: %s: %e", pth,
|
|
|
104d6b |
+ execvebuf + 2, eno);
|
|
|
104d6b |
+ else {
|
|
|
104d6b |
while (inblank(execvebuf[t0]))
|
|
|
104d6b |
execvebuf[t0--] = '\0';
|
|
|
104d6b |
- execvebuf[POUNDBANGLIMIT] = '\0';
|
|
|
104d6b |
for (ptr = execvebuf + 2; *ptr && *ptr == ' '; ptr++);
|
|
|
104d6b |
for (ptr2 = ptr; *ptr && *ptr != ' '; ptr++);
|
|
|
104d6b |
if (eno == ENOENT) {
|
|
|
104d6b |
@@ -485,9 +487,14 @@ zexecve(char *pth, char **argv, char **newenvp)
|
|
|
104d6b |
*ptr = '\0';
|
|
|
104d6b |
if (*ptr2 != '/' &&
|
|
|
104d6b |
(pprog = pathprog(ptr2, NULL))) {
|
|
|
104d6b |
- argv[-2] = ptr2;
|
|
|
104d6b |
- argv[-1] = ptr + 1;
|
|
|
104d6b |
- execve(pprog, argv - 2, newenvp);
|
|
|
104d6b |
+ if (ptr == execvebuf + t0 + 1) {
|
|
|
104d6b |
+ argv[-1] = ptr2;
|
|
|
104d6b |
+ execve(pprog, argv - 1, newenvp);
|
|
|
104d6b |
+ } else {
|
|
|
104d6b |
+ argv[-2] = ptr2;
|
|
|
104d6b |
+ argv[-1] = ptr + 1;
|
|
|
104d6b |
+ execve(pprog, argv - 2, newenvp);
|
|
|
104d6b |
+ }
|
|
|
104d6b |
}
|
|
|
104d6b |
zerr("%s: bad interpreter: %s: %e", pth, ptr2,
|
|
|
104d6b |
eno);
|
|
|
104d6b |
@@ -500,9 +507,6 @@ zexecve(char *pth, char **argv, char **newenvp)
|
|
|
104d6b |
argv[-1] = ptr2;
|
|
|
104d6b |
execve(ptr2, argv - 1, newenvp);
|
|
|
104d6b |
}
|
|
|
104d6b |
- } else if (eno == ENOEXEC) {
|
|
|
104d6b |
- argv[-1] = "sh";
|
|
|
104d6b |
- execve("/bin/sh", argv - 1, newenvp);
|
|
|
104d6b |
}
|
|
|
104d6b |
} else if (eno == ENOEXEC) {
|
|
|
104d6b |
for (t0 = 0; t0 != ct; t0++)
|
|
|
104d6b |
diff --git a/Test/A05execution.ztst b/Test/A05execution.ztst
|
|
|
104d6b |
index 0804691..fb39d05 100644
|
|
|
104d6b |
--- a/Test/A05execution.ztst
|
|
|
104d6b |
+++ b/Test/A05execution.ztst
|
|
|
104d6b |
@@ -12,7 +12,14 @@
|
|
|
104d6b |
|
|
|
104d6b |
print '#!/bin/sh\necho This is dir2' >dir2/tstcmd
|
|
|
104d6b |
|
|
|
104d6b |
+ print -n '#!sh\necho This is slashless' >tstcmd-slashless
|
|
|
104d6b |
+ print -n '#!echo foo\necho This is arg' >tstcmd-arg
|
|
|
104d6b |
+ print '#!xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxnyyy' >tstcmd-interp-too-long
|
|
|
104d6b |
+ print '#!/bin/sh\necho should not execute; exit 1' >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn
|
|
|
104d6b |
+
|
|
|
104d6b |
chmod 755 tstcmd dir1/tstcmd dir2/tstcmd
|
|
|
104d6b |
+ chmod 755 tstcmd-slashless tstcmd-arg tstcmd-interp-too-long
|
|
|
104d6b |
+ chmod 755 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn
|
|
|
104d6b |
|
|
|
104d6b |
%test
|
|
|
104d6b |
./tstcmd
|
|
|
104d6b |
@@ -33,6 +40,21 @@
|
|
|
104d6b |
0:path (2)
|
|
|
104d6b |
>This is top
|
|
|
104d6b |
|
|
|
104d6b |
+ PATH=/bin:${ZTST_testdir}/command.tmp/ tstcmd-slashless
|
|
|
104d6b |
+0:path (3)
|
|
|
104d6b |
+>This is slashless
|
|
|
104d6b |
+
|
|
|
104d6b |
+ PATH=/bin:${ZTST_testdir}/command.tmp tstcmd-arg
|
|
|
104d6b |
+0:path (4)
|
|
|
104d6b |
+*>foo */command.tmp/tstcmd-arg
|
|
|
104d6b |
+
|
|
|
104d6b |
+ path=(/bin ${ZTST_testdir}/command.tmp/)
|
|
|
104d6b |
+ tstcmd-interp-too-long 2>&1; echo "status $?"
|
|
|
104d6b |
+ path=($storepath)
|
|
|
104d6b |
+0:path (5)
|
|
|
104d6b |
+*>*tstcmd-interp-too-long: bad interpreter: x*xn: no such file or directory
|
|
|
104d6b |
+>status 127
|
|
|
104d6b |
+
|
|
|
104d6b |
functst() { print $# arguments:; print -l $*; }
|
|
|
104d6b |
functst "Eines Morgens" "als Gregor Samsa"
|
|
|
104d6b |
functst ""
|
|
|
104d6b |
--
|
|
|
104d6b |
2.17.1
|
|
|
104d6b |
|