1 |
BASH PATCH REPORT |
2 |
================= |
3 |
|
4 |
Bash-Release: 4.2 |
5 |
Patch-ID: bash42-053 |
6 |
|
7 |
Bug-Reported-by: Michal Zalewski <lcamtuf@coredump.cx> |
8 |
Bug-Reference-ID: |
9 |
Bug-Reference-URL: |
10 |
|
11 |
Bug-Description: |
12 |
|
13 |
A combination of nested command substitutions and function importing from |
14 |
the environment can cause bash to execute code appearing in the environment |
15 |
variable value following the function definition. |
16 |
|
17 |
Patch (apply with `patch -p0'): |
18 |
|
19 |
*** ../bash-4.2.52/builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400 |
20 |
--- builtins/evalstring.c 2014-10-04 15:00:26.000000000 -0400 |
21 |
*************** |
22 |
*** 262,271 **** |
23 |
struct fd_bitmap *bitmap; |
24 |
|
25 |
! if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) |
26 |
{ |
27 |
! internal_warning ("%s: ignoring function definition attempt", from_file); |
28 |
! should_jump_to_top_level = 0; |
29 |
! last_result = last_command_exit_value = EX_BADUSAGE; |
30 |
! break; |
31 |
} |
32 |
|
33 |
--- 262,284 ---- |
34 |
struct fd_bitmap *bitmap; |
35 |
|
36 |
! if (flags & SEVAL_FUNCDEF) |
37 |
{ |
38 |
! char *x; |
39 |
! |
40 |
! /* If the command parses to something other than a straight |
41 |
! function definition, or if we have not consumed the entire |
42 |
! string, or if the parser has transformed the function |
43 |
! name (as parsing will if it begins or ends with shell |
44 |
! whitespace, for example), reject the attempt */ |
45 |
! if (command->type != cm_function_def || |
46 |
! ((x = parser_remaining_input ()) && *x) || |
47 |
! (STREQ (from_file, command->value.Function_def->name->word) == 0)) |
48 |
! { |
49 |
! internal_warning (_("%s: ignoring function definition attempt"), from_file); |
50 |
! should_jump_to_top_level = 0; |
51 |
! last_result = last_command_exit_value = EX_BADUSAGE; |
52 |
! reset_parser (); |
53 |
! break; |
54 |
! } |
55 |
} |
56 |
|
57 |
*************** |
58 |
*** 332,336 **** |
59 |
|
60 |
if (flags & SEVAL_ONECMD) |
61 |
! break; |
62 |
} |
63 |
} |
64 |
--- 345,352 ---- |
65 |
|
66 |
if (flags & SEVAL_ONECMD) |
67 |
! { |
68 |
! reset_parser (); |
69 |
! break; |
70 |
! } |
71 |
} |
72 |
} |
73 |
*** ../bash-4.2.52/parse.y 2014-09-30 19:24:19.000000000 -0400 |
74 |
--- parse.y 2014-10-04 15:00:26.000000000 -0400 |
75 |
*************** |
76 |
*** 2436,2439 **** |
77 |
--- 2436,2449 ---- |
78 |
} |
79 |
|
80 |
+ char * |
81 |
+ parser_remaining_input () |
82 |
+ { |
83 |
+ if (shell_input_line == 0) |
84 |
+ return 0; |
85 |
+ if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len) |
86 |
+ return '\0'; /* XXX */ |
87 |
+ return (shell_input_line + shell_input_line_index); |
88 |
+ } |
89 |
+ |
90 |
#ifdef INCLUDE_UNUSED |
91 |
/* Back the input pointer up by one, effectively `ungetting' a character. */ |
92 |
*************** |
93 |
*** 3891,3896 **** |
94 |
/* reset_parser clears shell_input_line and associated variables */ |
95 |
restore_input_line_state (&ls); |
96 |
! if (interactive) |
97 |
! token_to_read = 0; |
98 |
|
99 |
/* Need to find how many characters parse_and_execute consumed, update |
100 |
--- 3901,3906 ---- |
101 |
/* reset_parser clears shell_input_line and associated variables */ |
102 |
restore_input_line_state (&ls); |
103 |
! |
104 |
! token_to_read = 0; |
105 |
|
106 |
/* Need to find how many characters parse_and_execute consumed, update |
107 |
*** ../bash-4.2.52/shell.h 2011-11-21 18:03:32.000000000 -0500 |
108 |
--- shell.h 2014-10-04 15:00:26.000000000 -0400 |
109 |
*************** |
110 |
*** 178,181 **** |
111 |
--- 178,183 ---- |
112 |
|
113 |
/* Let's try declaring these here. */ |
114 |
+ extern char *parser_remaining_input __P((void)); |
115 |
+ |
116 |
extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *)); |
117 |
extern void restore_parser_state __P((sh_parser_state_t *)); |
118 |
*** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010 |
119 |
--- patchlevel.h Thu Feb 24 21:41:34 2011 |
120 |
*************** |
121 |
*** 26,30 **** |
122 |
looks for to find the patch level (for the sccs version string). */ |
123 |
|
124 |
! #define PATCHLEVEL 52 |
125 |
|
126 |
#endif /* _PATCHLEVEL_H_ */ |
127 |
--- 26,30 ---- |
128 |
looks for to find the patch level (for the sccs version string). */ |
129 |
|
130 |
! #define PATCHLEVEL 53 |
131 |
|
132 |
#endif /* _PATCHLEVEL_H_ */ |