oss-sec mailing list archives
Fwd: Non-upstream patches for bash
From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Thu, 25 Sep 2014 23:19:24 +0530
Hi All,Based on the current situation and the fact that there is confusion about what patch to use for the bash issue. I wanted to post this here.
We have found a few more issues (OOB memory access). Also I am posting Florain's patch here which should fix the issue in a more deeper way rather than just apply duct-tape.
Any feed back etc is welcome! -------- Forwarded Message -------- Subject: Non-upstream patches for bash Date: Thu, 25 Sep 2014 19:37:36 +0200 From: Florian Weimer <fweimer () redhat com>To: Huzaifa Sidhpurwala <huzaifas () redhat com>, Joshua Bressers <bressers () redhat com>
Note that if you ship 4.3, you might want to reevaluate a decision to
enable array variable import from the environment.
Internal analysis revealed two out-of-bounds array accesses in the bash
parser. This was also independently and privately reported by Todd
Sabin <tsabin () optonline net>.
The redir_stack issue is this:
$ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF
<<EOF <<EOF <<EOF <<EOF <<EOF'
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: make_here_document: bad instruction type 33
Segmentation fault (core dumped)
The word_lineno issue is this (only visible with address sanitizer, but
it's probably to come up with something better):
$ (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in
{1..200} ; do echo done ; done) > test-script.sh $ bash test-script.sh
Both issues are fixed by the parser-oob patches.
I'm also including the function definition affix patch which has already
been posted to oss-security. (variables-affix-3.0.patch has only seen
very light review and testing yet, but it's a fairly straightforward
backport.)
You'll also want Chet's one-liner patch posted to oss-security.
--
Florian Weimer / Red Hat Product Security
Attachment:
parser-oob-4.2.patch
Description:
Attachment:
variables-affix-3.0.patch
Description:
Attachment:
parser-oob-3.2.patch
Description:
Attachment:
variables-affix-4.2.patch
Description:
Current thread:
- Fwd: Non-upstream patches for bash Huzaifa Sidhpurwala (Sep 25)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 25)
- Re: Fwd: Non-upstream patches for bash Huzaifa Sidhpurwala (Sep 25)
- Re: Fwd: Non-upstream patches for bash Michal Zalewski (Sep 25)
- Re: Fwd: Non-upstream patches for bash Chet Ramey (Sep 25)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 26)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 26)
- Re: Fwd: Non-upstream patches for bash Michal Zalewski (Sep 26)
- Re: Fwd: Non-upstream patches for bash Roman Drahtmueller (Sep 27)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 27)
- Re: Fwd: Non-upstream patches for bash Roman Drahtmueller (Sep 27)
- Re: Fwd: Non-upstream patches for bash Huzaifa Sidhpurwala (Sep 25)
- Re: Fwd: Non-upstream patches for bash Solar Designer (Sep 25)