bash: add upstream security fixes to patch level 12

Fixes CVE-2017-5932 - Shell code execution on tab completion of specially crafted files. For details, see the report: https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf We unfortunately cannot easily download these because of the file names (not ending in patch) and patch format (p0), so convert to p1 format and include in package/bash with the following script: for i in 06 07 08 09 10 11 12; do cat > bash44-0$i.patch << EOF >From https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-0$i Signed-off-by: Peter Korsgaard <peter@korsgaard.com> EOF curl https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-0$i | \ sed -e 's|^\*\*\* \.\./|*** |' -e 's|^--- |--- b/|' >> bash44-0$i.patch done Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
author: Peter Korsgaard <peter@korsgaard.com> 2017-02-08 09:12:03 +0100
committer: Peter Korsgaard <peter@korsgaard.com> 2017-02-08 09:46:13 +0100
commit: 54a94951231ce624cf6a2e297c806c1677efdeb8 (patch)
tree: 907a5e278016f8ecdadfdc6bfa80984a3454a34e /package/bash/bash44-009.patch
parent: a1071d7169e00b805dbcdaec33082ad2365dfd23 (diff)
download: buildroot-54a94951231ce624cf6a2e297c806c1677efdeb8.tar.gz
buildroot-54a94951231ce624cf6a2e297c806c1677efdeb8.zip
1 files changed, 111 insertions, 0 deletions
diff --git a/package/bash/bash44-009.patch b/package/bash/bash44-009.patch
new file mode 100644
index 0000000000..3ba1b3fe0f
--- /dev/null
+++ b/package/bash/bash44-009.patch
@@ -0,0 +1,111 @@
+From https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-009
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.4
+Patch-ID:	bash44-009
+
+Bug-Reported-by:	Hong Cho <hong.cho@citrix.com>
+Bug-Reference-ID:	<c30b5fe62b2543af8297e47ca487c29c@SJCPEX02CL02.citrite.net>
+Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2016-12/msg00043.html
+
+Bug-Description:
+
+There is a race condition in add_history() that can be triggered by a fatal
+signal arriving between the time the history length is updated and the time
+the history list update is completed. A later attempt to reference an
+invalid history entry can cause a crash.
+
+Patch (apply with `patch -p0'):
+
+*** bash-4.4-patched/lib/readline/history.c	2016-11-11 13:42:49.000000000 -0500
+--- b/lib/readline/history.c	2016-12-05 10:37:51.000000000 -0500
+***************
+*** 280,283 ****
+--- b/280,284 ----
+  {
+    HIST_ENTRY *temp;
++   int new_length;
+  
+    if (history_stifled && (history_length == history_max_entries))
+***************
+*** 296,306 ****
+        /* Copy the rest of the entries, moving down one slot.  Copy includes
+  	 trailing NULL.  */
+- #if 0
+-       for (i = 0; i < history_length; i++)
+- 	the_history[i] = the_history[i + 1];
+- #else
+        memmove (the_history, the_history + 1, history_length * sizeof (HIST_ENTRY *));
+- #endif
+  
+        history_base++;
+      }
+--- b/297,303 ----
+        /* Copy the rest of the entries, moving down one slot.  Copy includes
+  	 trailing NULL.  */
+        memmove (the_history, the_history + 1, history_length * sizeof (HIST_ENTRY *));
+  
++       new_length = history_length;
+        history_base++;
+      }
+***************
+*** 316,320 ****
+  	    history_size = DEFAULT_HISTORY_INITIAL_SIZE;
+  	  the_history = (HIST_ENTRY **)xmalloc (history_size * sizeof (HIST_ENTRY *));
+! 	  history_length = 1;
+  	}
+        else
+--- b/313,317 ----
+  	    history_size = DEFAULT_HISTORY_INITIAL_SIZE;
+  	  the_history = (HIST_ENTRY **)xmalloc (history_size * sizeof (HIST_ENTRY *));
+! 	  new_length = 1;
+  	}
+        else
+***************
+*** 326,330 ****
+  		xrealloc (the_history, history_size * sizeof (HIST_ENTRY *));
+  	    }
+! 	  history_length++;
+  	}
+      }
+--- b/323,327 ----
+  		xrealloc (the_history, history_size * sizeof (HIST_ENTRY *));
+  	    }
+! 	  new_length = history_length + 1;
+  	}
+      }
+***************
+*** 332,337 ****
+    temp = alloc_history_entry ((char *)string, hist_inittime ());
+  
+!   the_history[history_length] = (HIST_ENTRY *)NULL;
+!   the_history[history_length - 1] = temp;
+  }
+  
+--- b/329,335 ----
+    temp = alloc_history_entry ((char *)string, hist_inittime ());
+  
+!   the_history[new_length] = (HIST_ENTRY *)NULL;
+!   the_history[new_length - 1] = temp;
+!   history_length = new_length;
+  }
+  
+*** bash-4.4/patchlevel.h	2016-06-22 14:51:03.000000000 -0400
+--- b/patchlevel.h	2016-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 8
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- b/26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 9
+  
+  #endif /* _PATCHLEVEL_H_ */
author	Peter Korsgaard <peter@korsgaard.com>	2017-02-08 09:12:03 +0100
committer	Peter Korsgaard <peter@korsgaard.com>	2017-02-08 09:46:13 +0100
commit	54a94951231ce624cf6a2e297c806c1677efdeb8 (patch)
tree	907a5e278016f8ecdadfdc6bfa80984a3454a34e /package/bash/bash44-009.patch
parent	a1071d7169e00b805dbcdaec33082ad2365dfd23 (diff)
download	buildroot-54a94951231ce624cf6a2e297c806c1677efdeb8.tar.gz buildroot-54a94951231ce624cf6a2e297c806c1677efdeb8.zip