bash: fix CVE-2016-9401
popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address. Porting patch from <https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/ bash44-006> to solve CVE-2016-9401. (From OE-Core rev: 6987b317d5ce8dc50a37ebba395aa8424bec358c) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
70907e352e
commit
1b2857a781
|
@ -0,0 +1,50 @@
|
|||
From fa741771ed47b30547be63b5b5dbfb51977aca12 Mon Sep 17 00:00:00 2001
|
||||
From: Chet Ramey <chet.ramey@case.edu>
|
||||
Date: Fri, 20 Jan 2017 11:47:31 -0500
|
||||
Subject: [PATCH] Bash-4.4 patch 6
|
||||
|
||||
Bug-Reference-URL:
|
||||
https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00116.html
|
||||
|
||||
Reference to upstream patch:
|
||||
https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/bash44-006
|
||||
|
||||
Bug-Description:
|
||||
Out-of-range negative offsets to popd can cause the shell to crash attempting
|
||||
to free an invalid memory block.
|
||||
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2016-9401
|
||||
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
||||
---
|
||||
builtins/pushd.def | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/builtins/pushd.def b/builtins/pushd.def
|
||||
index 9c6548f..8a13bae 100644
|
||||
--- a/builtins/pushd.def
|
||||
+++ b/builtins/pushd.def
|
||||
@@ -359,7 +359,7 @@ popd_builtin (list)
|
||||
break;
|
||||
}
|
||||
|
||||
- if (which > directory_list_offset || (directory_list_offset == 0 && which == 0))
|
||||
+ if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0))
|
||||
{
|
||||
pushd_error (directory_list_offset, which_word ? which_word : "");
|
||||
return (EXECUTION_FAILURE);
|
||||
@@ -381,6 +381,11 @@ popd_builtin (list)
|
||||
remove that directory from the list and shift the remainder
|
||||
of the list into place. */
|
||||
i = (direction == '+') ? directory_list_offset - which : which;
|
||||
+ if (i < 0 || i > directory_list_offset)
|
||||
+ {
|
||||
+ pushd_error (directory_list_offset, which_word ? which_word : "");
|
||||
+ return (EXECUTION_FAILURE);
|
||||
+ }
|
||||
free (pushd_directory_list[i]);
|
||||
directory_list_offset--;
|
||||
|
||||
--
|
||||
1.9.1
|
||||
|
|
@ -30,6 +30,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
|
|||
file://fix-run-builtins.patch \
|
||||
file://0001-help-fix-printf-format-security-warning.patch \
|
||||
file://fix-run-intl.patch \
|
||||
file://CVE-2016-9401.patch \
|
||||
"
|
||||
|
||||
SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447"
|
||||
|
|
Loading…
Reference in New Issue