| 1 |
BASH PATCH REPORT |
| 2 |
================= |
| 3 |
|
| 4 |
Bash-Release: 4.2 |
| 5 |
Patch-ID: bash42-053 |
| 6 |
|
| 7 |
Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx> |
| 8 |
Bug-Reference-ID: |
| 9 |
Bug-Reference-URL: |
| 10 |
|
| 11 |
Bug-Description: |
| 12 |
|
| 13 |
A combination of nested command substitutions and function importing from |
| 14 |
the environment can cause bash to execute code appearing in the environment |
| 15 |
variable value following the function definition. |
| 16 |
|
| 17 |
Patch (apply with `patch -p0'): |
| 18 |
|
| 19 |
*** ../bash-4.2.52/builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400 |
| 20 |
--- builtins/evalstring.c 2014-10-04 15:00:26.000000000 -0400 |
| 21 |
*************** |
| 22 |
*** 262,271 **** |
| 23 |
struct fd_bitmap *bitmap; |
| 24 |
|
| 25 |
! if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) |
| 26 |
{ |
| 27 |
! internal_warning ("%s: ignoring function definition attempt", from_file); |
| 28 |
! should_jump_to_top_level = 0; |
| 29 |
! last_result = last_command_exit_value = EX_BADUSAGE; |
| 30 |
! break; |
| 31 |
} |
| 32 |
|
| 33 |
--- 262,284 ---- |
| 34 |
struct fd_bitmap *bitmap; |
| 35 |
|
| 36 |
! if (flags & SEVAL_FUNCDEF) |
| 37 |
{ |
| 38 |
! char *x; |
| 39 |
! |
| 40 |
! /* If the command parses to something other than a straight |
| 41 |
! function definition, or if we have not consumed the entire |
| 42 |
! string, or if the parser has transformed the function |
| 43 |
! name (as parsing will if it begins or ends with shell |
| 44 |
! whitespace, for example), reject the attempt */ |
| 45 |
! if (command->type != cm_function_def || |
| 46 |
! ((x = parser_remaining_input ()) && *x) || |
| 47 |
! (STREQ (from_file, command->value.Function_def->name->word) == 0)) |
| 48 |
! { |
| 49 |
! internal_warning (_("%s: ignoring function definition attempt"), from_file); |
| 50 |
! should_jump_to_top_level = 0; |
| 51 |
! last_result = last_command_exit_value = EX_BADUSAGE; |
| 52 |
! reset_parser (); |
| 53 |
! break; |
| 54 |
! } |
| 55 |
} |
| 56 |
|
| 57 |
*************** |
| 58 |
*** 332,336 **** |
| 59 |
|
| 60 |
if (flags & SEVAL_ONECMD) |
| 61 |
! break; |
| 62 |
} |
| 63 |
} |
| 64 |
--- 345,352 ---- |
| 65 |
|
| 66 |
if (flags & SEVAL_ONECMD) |
| 67 |
! { |
| 68 |
! reset_parser (); |
| 69 |
! break; |
| 70 |
! } |
| 71 |
} |
| 72 |
} |
| 73 |
*** ../bash-4.2.52/parse.y 2014-09-30 19:24:19.000000000 -0400 |
| 74 |
--- parse.y 2014-10-04 15:00:26.000000000 -0400 |
| 75 |
*************** |
| 76 |
*** 2436,2439 **** |
| 77 |
--- 2436,2449 ---- |
| 78 |
} |
| 79 |
|
| 80 |
+ char * |
| 81 |
+ parser_remaining_input () |
| 82 |
+ { |
| 83 |
+ if (shell_input_line == 0) |
| 84 |
+ return 0; |
| 85 |
+ if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len) |
| 86 |
+ return '\0'; /* XXX */ |
| 87 |
+ return (shell_input_line + shell_input_line_index); |
| 88 |
+ } |
| 89 |
+ |
| 90 |
#ifdef INCLUDE_UNUSED |
| 91 |
/* Back the input pointer up by one, effectively `ungetting' a character. */ |
| 92 |
*************** |
| 93 |
*** 3891,3896 **** |
| 94 |
/* reset_parser clears shell_input_line and associated variables */ |
| 95 |
restore_input_line_state (&ls); |
| 96 |
! if (interactive) |
| 97 |
! token_to_read = 0; |
| 98 |
|
| 99 |
/* Need to find how many characters parse_and_execute consumed, update |
| 100 |
--- 3901,3906 ---- |
| 101 |
/* reset_parser clears shell_input_line and associated variables */ |
| 102 |
restore_input_line_state (&ls); |
| 103 |
! |
| 104 |
! token_to_read = 0; |
| 105 |
|
| 106 |
/* Need to find how many characters parse_and_execute consumed, update |
| 107 |
*** ../bash-4.2.52/shell.h 2011-11-21 18:03:32.000000000 -0500 |
| 108 |
--- shell.h 2014-10-04 15:00:26.000000000 -0400 |
| 109 |
*************** |
| 110 |
*** 178,181 **** |
| 111 |
--- 178,183 ---- |
| 112 |
|
| 113 |
/* Let's try declaring these here. */ |
| 114 |
+ extern char *parser_remaining_input __P((void)); |
| 115 |
+ |
| 116 |
extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *)); |
| 117 |
extern void restore_parser_state __P((sh_parser_state_t *)); |
| 118 |
*** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010 |
| 119 |
--- patchlevel.h Thu Feb 24 21:41:34 2011 |
| 120 |
*************** |
| 121 |
*** 26,30 **** |
| 122 |
looks for to find the patch level (for the sccs version string). */ |
| 123 |
|
| 124 |
! #define PATCHLEVEL 52 |
| 125 |
|
| 126 |
#endif /* _PATCHLEVEL_H_ */ |
| 127 |
--- 26,30 ---- |
| 128 |
looks for to find the patch level (for the sccs version string). */ |
| 129 |
|
| 130 |
! #define PATCHLEVEL 53 |
| 131 |
|
| 132 |
#endif /* _PATCHLEVEL_H_ */ |
Parent Directory
| 
Revision Log