diff options
Diffstat (limited to 'patches/source/bash/bash-4.1-patches/bash41-017')
| -rw-r--r-- | patches/source/bash/bash-4.1-patches/bash41-017 | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/patches/source/bash/bash-4.1-patches/bash41-017 b/patches/source/bash/bash-4.1-patches/bash41-017 new file mode 100644 index 00000000..22a9336f --- /dev/null +++ b/patches/source/bash/bash-4.1-patches/bash41-017 @@ -0,0 +1,132 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.1 +Patch-ID: bash41-017 + +Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx> +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +A combination of nested command substitutions and function importing from +the environment can cause bash to execute code appearing in the environment +variable value following the function definition. + +Patch (apply with `patch -p0'): + +*** ../bash-4.1.16/builtins/evalstring.c 2014-09-16 19:27:38.000000000 -0400 +--- builtins/evalstring.c 2014-10-04 15:08:26.000000000 -0400 +*************** +*** 262,271 **** + struct fd_bitmap *bitmap; + +! if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) + { +! internal_warning ("%s: ignoring function definition attempt", from_file); +! should_jump_to_top_level = 0; +! last_result = last_command_exit_value = EX_BADUSAGE; +! break; + } + +--- 262,284 ---- + struct fd_bitmap *bitmap; + +! if (flags & SEVAL_FUNCDEF) + { +! char *x; +! +! /* If the command parses to something other than a straight +! function definition, or if we have not consumed the entire +! string, or if the parser has transformed the function +! name (as parsing will if it begins or ends with shell +! whitespace, for example), reject the attempt */ +! if (command->type != cm_function_def || +! ((x = parser_remaining_input ()) && *x) || +! (STREQ (from_file, command->value.Function_def->name->word) == 0)) +! { +! internal_warning (_("%s: ignoring function definition attempt"), from_file); +! should_jump_to_top_level = 0; +! last_result = last_command_exit_value = EX_BADUSAGE; +! reset_parser (); +! break; +! } + } + +*************** +*** 332,336 **** + + if (flags & SEVAL_ONECMD) +! break; + } + } +--- 345,352 ---- + + if (flags & SEVAL_ONECMD) +! { +! reset_parser (); +! break; +! } + } + } +*** ../bash-4.1.16/parse.y 2014-09-30 19:36:03.000000000 -0400 +--- parse.y 2014-10-04 15:08:26.000000000 -0400 +*************** +*** 2410,2413 **** +--- 2410,2423 ---- + } + ++ char * ++ parser_remaining_input () ++ { ++ if (shell_input_line == 0) ++ return 0; ++ if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len) ++ return '\0'; /* XXX */ ++ return (shell_input_line + shell_input_line_index); ++ } ++ + #ifdef INCLUDE_UNUSED + /* Back the input pointer up by one, effectively `ungetting' a character. */ +*************** +*** 3809,3814 **** + restore_parser_state (&ps); + reset_parser (); +! if (interactive) +! token_to_read = 0; + + /* Need to find how many characters parse_and_execute consumed, update +--- 3819,3824 ---- + restore_parser_state (&ps); + reset_parser (); +! +! token_to_read = 0; + + /* Need to find how many characters parse_and_execute consumed, update +*** ../bash-4.1.16/shell.h 2009-08-14 16:32:52.000000000 -0400 +--- shell.h 2014-10-04 15:08:26.000000000 -0400 +*************** +*** 164,167 **** +--- 164,169 ---- + + /* Let's try declaring these here. */ ++ extern char *parser_remaining_input __P((void)); ++ + extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *)); + extern void restore_parser_state __P((sh_parser_state_t *)); +*** ../bash-4.1-patched/patchlevel.h 2009-10-01 16:39:22.000000000 -0400 +--- patchlevel.h 2010-01-14 09:38:08.000000000 -0500 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 16 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 17 + + #endif /* _PATCHLEVEL_H_ */ |