Skip to content

Commit

Permalink
applied bash32-054 (3.2.54) patch to fix CVE-2014-6277, based on Flor…
Browse files Browse the repository at this point in the history
…ian Weimer's patch.
  • Loading branch information
ido committed Sep 28, 2014
1 parent 93b2ff7 commit 801950f
Show file tree
Hide file tree
Showing 2 changed files with 61 additions and 21 deletions.
2 changes: 1 addition & 1 deletion bash-3.2/patchlevel.h
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,6 @@
regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh
looks for to find the patch level (for the sccs version string). */

#define PATCHLEVEL 53
#define PATCHLEVEL 54

#endif /* _PATCHLEVEL_H_ */
80 changes: 60 additions & 20 deletions bash-3.2/variables.c
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@

#define ifsname(s) ((s)[0] == 'I' && (s)[1] == 'F' && (s)[2] == 'S' && (s)[3] == '\0')

#define BASHFUNC_PREFIX "BASH_FUNC_"
#define BASHFUNC_PREFLEN 10 /* == strlen(BASHFUNC_PREFIX */
#define BASHFUNC_SUFFIX "%%"
#define BASHFUNC_SUFFLEN 2 /* == strlen(BASHFUNC_SUFFIX) */

extern char **environ;

/* Variables used here and defined in other files. */
Expand Down Expand Up @@ -241,7 +246,7 @@ static void push_temp_var __P((PTR_T));
static void propagate_temp_var __P((PTR_T));
static void dispose_temporary_env __P((sh_free_func_t *));

static inline char *mk_env_string __P((const char *, const char *));
static inline char *mk_env_string __P((const char *, const char *, int));
static char **make_env_array_from_var_list __P((SHELL_VAR **));
static char **make_var_export_array __P((VAR_CONTEXT *));
static char **make_func_export_array __P((void));
Expand Down Expand Up @@ -309,27 +314,41 @@ initialize_shell_variables (env, privmode)

/* If exported function, define it now. Don't import functions from
the environment in privileged mode. */
if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
if (privmode == 0 && read_but_dont_execute == 0 &&
STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) &&
STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) &&
STREQN ("() {", string, 4))
{
size_t namelen;
char *tname; /* desired imported function name */

namelen = char_index - BASHFUNC_PREFLEN - BASHFUNC_SUFFLEN;

tname = name + BASHFUNC_PREFLEN; /* start of func name */
tname[namelen] = '\0'; /* now tname == func name */

string_length = strlen (string);
temp_string = (char *)xmalloc (3 + string_length + char_index);
temp_string = (char *)xmalloc (namelen + string_length + 2);

strcpy (temp_string, name);
temp_string[char_index] = ' ';
strcpy (temp_string + char_index + 1, string);
memcpy (temp_string, tname, namelen);
temp_string[namelen] = ' ';
memcpy (temp_string + namelen + 1, string, string_length + 1);

/* Don't import function names that are invalid identifiers from the
environment. */
if (legal_identifier (name))
parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
if (absolute_program (tname) == 0 && (posixly_correct == 0 || legal_identifier (tname)))
parse_and_execute (temp_string, tname, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);

if (temp_var = find_function (name))
if (temp_var = find_function (tname))
{
VSETATTR (temp_var, (att_exported|att_imported));
array_needs_making = 1;
}
else
report_error (_("error importing function definition for `%s'"), name);
report_error (_("error importing function definition for `%s'"), tname);

/* Restore original suffix */
tname[namelen] = BASHFUNC_SUFFIX[0];
}
#if defined (ARRAY_VARS)
# if 0
Expand Down Expand Up @@ -2207,7 +2226,7 @@ assign_in_env (word)
var->context = variable_context; /* XXX */

INVALIDATE_EXPORTSTR (var);
var->exportstr = mk_env_string (name, value);
var->exportstr = mk_env_string (name, value, 0);

array_needs_making = 1;

Expand Down Expand Up @@ -2998,21 +3017,42 @@ merge_temporary_env ()
/* **************************************************************** */

static inline char *
mk_env_string (name, value)
mk_env_string (name, value, isfunc)
const char *name, *value;
int isfunc;
{
int name_len, value_len;
char *p;
size_t name_len, value_len;
char *p, *q;

name_len = strlen (name);
value_len = STRLEN (value);
p = (char *)xmalloc (2 + name_len + value_len);
strcpy (p, name);
p[name_len] = '=';

/* If we are exporting a shell function, construct the encoded function
name. */
if (isfunc && value)
{
p = (char *)xmalloc (BASHFUNC_PREFLEN + name_len + BASHFUNC_SUFFLEN + value_len + 2);
q = p;
memcpy (q, BASHFUNC_PREFIX, BASHFUNC_PREFLEN);
q += BASHFUNC_PREFLEN;
memcpy (q, name, name_len);
q += name_len;
memcpy (q, BASHFUNC_SUFFIX, BASHFUNC_SUFFLEN);
q += BASHFUNC_SUFFLEN;
}
else
{
p = (char *)xmalloc (2 + name_len + value_len);
memcpy (p, name, name_len);
q = p + name_len;
}

q[0] = '=';
if (value && *value)
strcpy (p + name_len + 1, value);
memcpy (q + 1, value, value_len + 1);
else
p[name_len + 1] = '\0';
q[1] = '\0';

return (p);
}

Expand Down Expand Up @@ -3087,7 +3127,7 @@ make_env_array_from_var_list (vars)
/* Gee, I'd like to get away with not using savestring() if we're
using the cached exportstr... */
list[list_index] = USE_EXPORTSTR ? savestring (value)
: mk_env_string (var->name, value);
: mk_env_string (var->name, value, function_p (var));

if (USE_EXPORTSTR == 0)
SAVE_EXPORTSTR (var, list[list_index]);
Expand Down

0 comments on commit 801950f

Please sign in to comment.