openembedded-core.git/meta/recipes-extended/bash/bash_3.2.48.bb, branch dora Mirror of openembedded-core bash: Fix-for-CVE-2014-6278 2014-10-12T20:24:36+00:00 Catalin Popeanga Catalin.Popeanga@enea.com 2014-10-09T12:25:15+00:00 1e155330f6cf132997b91a7cfdfe7de319410566 This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277 See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 (From OE-Core daisy rev: de596b5f31e837dcd2ce991245eb5548f12d72ae) Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> 
This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277

See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278

(From OE-Core daisy rev: de596b5f31e837dcd2ce991245eb5548f12d72ae)

Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
bash: Fix for CVE-2014-6277 2014-10-12T20:24:36+00:00 Catalin Popeanga Catalin.Popeanga@enea.com 2014-10-09T12:24:53+00:00 5a802295d1f40af6f21dd3ed7e4549fe033f03a0 Follow up bash42-049 to parse properly function definitions in the values of environment variables, to not allow remote attackers to execute arbitrary code or to cause a denial of service. See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277 (From OE-Core daisy rev: 85961bcf81650992259cebb0ef1f1c6cdef3fefa) Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> 
Follow up bash42-049 to parse properly function definitions in the
values of environment variables, to not allow remote attackers to
execute arbitrary code or to cause a denial of service.

See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277

(From OE-Core daisy rev: 85961bcf81650992259cebb0ef1f1c6cdef3fefa)

Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
bash: Fix for CVE-2014-7186 and CVE-2014-7187 2014-10-12T20:24:36+00:00 Catalin Popeanga Catalin.Popeanga@enea.com 2014-10-09T12:24:29+00:00 bdfe1e3770aeee9a1a7c65d4834f1a99820d3140 This is a followup patch to incomplete CVE-2014-6271 fix code execution via specially-crafted environment https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 (From OE-Core daisy rev: 153d1125659df9e5c09e35a58bd51be184cb13c1) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> 
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187

(From OE-Core daisy rev: 153d1125659df9e5c09e35a58bd51be184cb13c1)

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
bash: Fix for exported function namespace change 2014-10-12T20:24:35+00:00 Catalin Popeanga Catalin.Popeanga@enea.com 2014-10-09T12:23:24+00:00 af1f65b57dbfcaf5fc7c254dce80ac55f3a632cb This is a followup patch to incomplete CVE-2014-6271 fix code execution via specially-crafted environment This patch changes the encoding bash uses for exported functions to avoid clashes with shell variables and to avoid depending only on an environment variable's contents to determine whether or not to interpret it as a shell function. (From OE-Core daisy rev: 6c51cc96d03df26d1c10867633e7a10dfbec7c45) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> 
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment

This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function.

(From OE-Core daisy rev: 6c51cc96d03df26d1c10867633e7a10dfbec7c45)

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
bash: Fix CVE-2014-7169 2014-10-02T07:03:41+00:00 Khem Raj raj.khem@gmail.com 2014-09-26T20:21:19+00:00 1c8f43767c7d78872d38652ea808f30ea825bbef This is a followup patch to incomplete CVE-2014-6271 fix code execution via specially-crafted environment Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed (From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> 
This is a followup patch to incomplete CVE-2014-6271 fix
code execution via specially-crafted environment

Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
(From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
bash: fix CVE-2014-6271 2014-10-02T07:03:40+00:00 Ross Burton ross.burton@intel.com 2014-09-25T23:05:18+00:00 05eecceb4d2a5821cd0ca0164610e9e6d68bb22c CVE-2014-6271 aka ShellShock. "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment." (From OE-Core master rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> 
CVE-2014-6271 aka ShellShock.

"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."

(From OE-Core master rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
bash: Add ptest 2013-07-26T06:44:27+00:00 Muhammad Shakeel muhammad_shakeel@mentor.com 2013-07-05T07:23:18+00:00 d054da760deda0c965619372209b50f8db964e1c ptest support was already added for v4.2 but for the distros using GPLv2 version of bash (3.2.48) this update is required. Signed-off-by: Muhammad Shakeel <muhammad_shakeel@mentor.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
ptest support was already added for v4.2 but for the distros
using GPLv2 version of bash (3.2.48) this update is required.

Signed-off-by: Muhammad Shakeel <muhammad_shakeel@mentor.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
bash: fix mkbuiltins build failure 2013-01-09T12:36:22+00:00 Saul Wold sgw@linux.intel.com 2013-01-08T22:39:50+00:00 d00acdbfa7d10804ff832009888c441fda51e412 Same patch for non-gplv3 version: http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=1fd9a16d2a4594a4e9179dc7353ac51ce32eb712 [YOCTO #3646] Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Same patch for non-gplv3 version:

http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=1fd9a16d2a4594a4e9179dc7353ac51ce32eb712

[YOCTO #3646]

Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
bash: Make it possible to run bash 3.2.48 instead of 4.2. 2012-09-24T10:10:55+00:00 Martin Ertsaas mertsas@cisco.com 2012-09-19T07:16:55+00:00 e7b82cb4d107bfbfa5c939d406dd6ce6615b24e1 bash-3.2.48 did not provide the linking from sh to bash, making it unusable. Moving the license part out of the bash.inc file, and into bash_4.2.bb file makes us able to use that file also for bash_3.2.48.bb, which makes maintaining both at the same time a lot easier. Signed-off-by: Martin Ertsaas <mertsas@cisco.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
bash-3.2.48 did not provide the linking from sh to bash, making it unusable.
Moving the license part out of the bash.inc file, and into bash_4.2.bb file makes
us able to use that file also for bash_3.2.48.bb, which makes maintaining both
at the same time a lot easier.

Signed-off-by: Martin Ertsaas <mertsas@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
PR bump for all recipes that DEPEND on ncurses 2012-03-14T23:34:10+00:00 Scott Garman scott.a.garman@intel.com 2012-03-14T20:15:21+00:00 be92256917c157284ef8370bb93bbf443849b2e1 The packaging changes to ncurses could break package feeds, so bump the PR on everythong that DEPENDS on ncurses. Signed-off-by: Scott Garman <scott.a.garman@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
The packaging changes to ncurses could break package feeds,
so bump the PR on everythong that DEPENDS on ncurses.

Signed-off-by: Scott Garman <scott.a.garman@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>