oss-sec mailing list archives
Fwd: Non-upstream patches for bash
From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Thu, 25 Sep 2014 23:19:24 +0530
Hi All,Based on the current situation and the fact that there is confusion about what patch to use for the bash issue. I wanted to post this here.
We have found a few more issues (OOB memory access). Also I am posting Florain's patch here which should fix the issue in a more deeper way rather than just apply duct-tape.
Any feed back etc is welcome! -------- Forwarded Message -------- Subject: Non-upstream patches for bash Date: Thu, 25 Sep 2014 19:37:36 +0200 From: Florian Weimer <fweimer () redhat com>To: Huzaifa Sidhpurwala <huzaifas () redhat com>, Joshua Bressers <bressers () redhat com>
Note that if you ship 4.3, you might want to reevaluate a decision to enable array variable import from the environment. Internal analysis revealed two out-of-bounds array accesses in the bash parser. This was also independently and privately reported by Todd Sabin <tsabin () optonline net>. The redir_stack issue is this: $ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: make_here_document: bad instruction type 33 Segmentation fault (core dumped) The word_lineno issue is this (only visible with address sanitizer, but it's probably to come up with something better): $ (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) > test-script.sh $ bash test-script.sh Both issues are fixed by the parser-oob patches. I'm also including the function definition affix patch which has already been posted to oss-security. (variables-affix-3.0.patch has only seen very light review and testing yet, but it's a fairly straightforward backport.) You'll also want Chet's one-liner patch posted to oss-security. -- Florian Weimer / Red Hat Product Security
Attachment:
parser-oob-4.2.patch
Description:
Attachment:
variables-affix-3.0.patch
Description:
Attachment:
parser-oob-3.2.patch
Description:
Attachment:
variables-affix-4.2.patch
Description:
Current thread:
- Fwd: Non-upstream patches for bash Huzaifa Sidhpurwala (Sep 25)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 25)
- Re: Fwd: Non-upstream patches for bash Huzaifa Sidhpurwala (Sep 25)
- Re: Fwd: Non-upstream patches for bash Michal Zalewski (Sep 25)
- Re: Fwd: Non-upstream patches for bash Chet Ramey (Sep 25)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 26)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 26)
- Re: Fwd: Non-upstream patches for bash Michal Zalewski (Sep 26)
- Re: Fwd: Non-upstream patches for bash Roman Drahtmueller (Sep 27)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 27)
- Re: Fwd: Non-upstream patches for bash Roman Drahtmueller (Sep 27)
- Re: Fwd: Non-upstream patches for bash Huzaifa Sidhpurwala (Sep 25)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 25)