diff options
author | Li Zhou <li.zhou@windriver.com> | 2017-02-13 10:53:24 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-02-15 20:06:32 -0800 |
commit | 6987b317d5ce8dc50a37ebba395aa8424bec358c (patch) | |
tree | 4abaebfc5c32013d63148d9caf8817f5e95be058 | |
parent | 9175164380b50852a21a05d4e81294394c5486f4 (diff) | |
download | openembedded-core-6987b317d5ce8dc50a37ebba395aa8424bec358c.tar.gz openembedded-core-6987b317d5ce8dc50a37ebba395aa8424bec358c.tar.bz2 openembedded-core-6987b317d5ce8dc50a37ebba395aa8424bec358c.zip |
bash: fix CVE-2016-9401
popd in bash might allow local users to bypass the restricted shell
and cause a use-after-free via a crafted address.
Porting patch from <https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/
bash44-006> to solve CVE-2016-9401.
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
-rw-r--r-- | meta/recipes-extended/bash/bash/CVE-2016-9401.patch | 50 | ||||
-rw-r--r-- | meta/recipes-extended/bash/bash_4.3.30.bb | 1 |
2 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-extended/bash/bash/CVE-2016-9401.patch b/meta/recipes-extended/bash/bash/CVE-2016-9401.patch new file mode 100644 index 0000000000..28c927743c --- /dev/null +++ b/meta/recipes-extended/bash/bash/CVE-2016-9401.patch @@ -0,0 +1,50 @@ +From fa741771ed47b30547be63b5b5dbfb51977aca12 Mon Sep 17 00:00:00 2001 +From: Chet Ramey <chet.ramey@case.edu> +Date: Fri, 20 Jan 2017 11:47:31 -0500 +Subject: [PATCH] Bash-4.4 patch 6 + +Bug-Reference-URL: +https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00116.html + +Reference to upstream patch: +https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/bash44-006 + +Bug-Description: +Out-of-range negative offsets to popd can cause the shell to crash attempting +to free an invalid memory block. + +Upstream-Status: Backport +CVE: CVE-2016-9401 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + builtins/pushd.def | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/builtins/pushd.def b/builtins/pushd.def +index 9c6548f..8a13bae 100644 +--- a/builtins/pushd.def ++++ b/builtins/pushd.def +@@ -359,7 +359,7 @@ popd_builtin (list) + break; + } + +- if (which > directory_list_offset || (directory_list_offset == 0 && which == 0)) ++ if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0)) + { + pushd_error (directory_list_offset, which_word ? which_word : ""); + return (EXECUTION_FAILURE); +@@ -381,6 +381,11 @@ popd_builtin (list) + remove that directory from the list and shift the remainder + of the list into place. */ + i = (direction == '+') ? directory_list_offset - which : which; ++ if (i < 0 || i > directory_list_offset) ++ { ++ pushd_error (directory_list_offset, which_word ? which_word : ""); ++ return (EXECUTION_FAILURE); ++ } + free (pushd_directory_list[i]); + directory_list_offset--; + +-- +1.9.1 + diff --git a/meta/recipes-extended/bash/bash_4.3.30.bb b/meta/recipes-extended/bash/bash_4.3.30.bb index 765562fbdd..e398e87b60 100644 --- a/meta/recipes-extended/bash/bash_4.3.30.bb +++ b/meta/recipes-extended/bash/bash_4.3.30.bb @@ -30,6 +30,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \ file://fix-run-builtins.patch \ file://0001-help-fix-printf-format-security-warning.patch \ file://fix-run-intl.patch \ + file://CVE-2016-9401.patch \ " SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447" |