This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
(From OE-Core daisy rev: de596b5f31e837dcd2ce991245eb5548f12d72ae)
(From OE-Core rev: 1e155330f6cf132997b91a7cfdfe7de319410566)
Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Follow up bash42-049 to parse properly function definitions in the
values of environment variables, to not allow remote attackers to
execute arbitrary code or to cause a denial of service.
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
(From OE-Core daisy rev: 85961bcf81650992259cebb0ef1f1c6cdef3fefa)
(From OE-Core rev: 5a802295d1f40af6f21dd3ed7e4549fe033f03a0)
Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
(From OE-Core daisy rev: 153d1125659df9e5c09e35a58bd51be184cb13c1)
(From OE-Core rev: bdfe1e3770aeee9a1a7c65d4834f1a99820d3140)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function.
(From OE-Core daisy rev: 6c51cc96d03df26d1c10867633e7a10dfbec7c45)
(From OE-Core rev: af1f65b57dbfcaf5fc7c254dce80ac55f3a632cb)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The bash_4.2 recipe was missed when the fix was backported to the dora
branch.
Patch from OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc
by Khem Raj <raj.khem@gmail.com>
(From OE-Core rev: a71680ec6e12c17159336dc34d904cb70155d0d7)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The bash_4.2 recipe was missed when the fix was backported to the dora
branch.
Patch based on the one from OE-Core master rev
798d833c9d4bd9ab287fa86b85b4d5f128170ed3 by Ross Burton
<ross.burton@intel.com>, with the content replaced from the
appropriate upstream patch.
(From OE-Core rev: 74d45affd5cda2e388d42db3322b4a0d5aff07e8)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a followup patch to incomplete CVE-2014-6271 fix
code execution via specially-crafted environment
Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
(From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc)
(From OE-Core rev: 1c8f43767c7d78872d38652ea808f30ea825bbef)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
(From OE-Core master rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)
(From OE-Core rev: 05eecceb4d2a5821cd0ca0164610e9e6d68bb22c)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
bash: reference acl*.m4 from ${S}.
The build directory had been moved to ${WORKDIR}/build,
so we should reference acl*.m4 from ${S}.
Otherwise, the following configure error will be caught.
| cat: aclocal.m4: No such file or directory
| ERROR: Function failed: do_configure (log file is located at ...)
(From OE-Core rev: b296e7412a45f0c07b4f843784211ef0f66221e6)
Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ptest support was already added for v4.2 but for the distros
using GPLv2 version of bash (3.2.48) this update is required.
(From OE-Core rev: d054da760deda0c965619372209b50f8db964e1c)
Signed-off-by: Muhammad Shakeel <muhammad_shakeel@mentor.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The bash Makefile defines a dependency on itself and tries to run configure,
causing error messages when running ptest on target:
make: *** No rule to make target `configure.in', needed by `configure'.
make: *** No rule to make target `aclocal.m4', needed by `configure'.
make: *** No rule to make target `config.h.in', needed by `configure'.
make: *** No rule to make target `Makefile.in', needed by `Makefile'.
make: Failed to remake makefile `Makefile'.
This patch edits out this dependency in the Makefile installed for ptest,
to get rid of these messages.
(From OE-Core rev: b5fe8c9ff330105337b003be0de2f970545d13ef)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
On hosts with FORTIFY_SOURCES, stringize support is required, as it's used by
the macros to wrap functions (e.g. read and open in unistd.h). Those wrappers
use the STRING() macro from unistd.h. A header in the bash sources overrides
the unistd.h macro to 'x' when HAVE_STRINGIZE is not defined, causing the
wrappers to generate calls to 'xread' and 'xopen', which do not exist,
resulting in a failure to link.
Assume we have stringize support when cross-compiling, which works around the
issue.
It may be best for upstream to either give up on supporting compilers without
stringize support, or to not define STRING() at all when FORTIFY_SOURCES is
defined, letting the unistd.h one be used, instead.
(From OE-Core rev: f7a25dd72d1d463eb72d48c6f9dd968d376496c0)
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
bash-3.2.48 did not provide the linking from sh to bash, making it unusable.
Moving the license part out of the bash.inc file, and into bash_4.2.bb file makes
us able to use that file also for bash_3.2.48.bb, which makes maintaining both
at the same time a lot easier.
(From OE-Core rev: e7b82cb4d107bfbfa5c939d406dd6ce6615b24e1)
Signed-off-by: Martin Ertsaas <mertsas@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As discussed on the mailing lists, using a suffix to package names is
hard and has lead to many recipes having to do PKGSUFFIX games. Its
looking extremely hard to scale nativesdk much further without hacking
many recipes.
By comparison, using a prefix like multilib does works much better and
doesn't involve "hacking" as many recipes. This change converts nativesdk
to use a prefix using the existing multilib infrastructure.
(From OE-Core rev: 81813c0e322dc04ce4b069117188d8a54dfddb8c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Change the installation process so we have bashbug in ${bindir} and
bash at ${base_bindir}.
(From OE-Core rev: f2dc23cf886de95040080c4398a3320c211b65fa)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The packaging changes to ncurses could break package feeds,
so bump the PR on everythong that DEPENDS on ncurses.
(From OE-Core rev: be92256917c157284ef8370bb93bbf443849b2e1)
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is f0652d96ff5c3b08b8e4c4972f7fb0296df6d898 from OE.
(From OE-Core rev: 897f11e4ecf3acaa9d4695d3be0e9beb38322d9d)
Signed-off-by: Tom Rini <tom_rini@mentor.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A number of the recipes did not properly label their pre and post
actions, causing the actions to occur in all split packages. This
was corrected by defaulting to _${PN} in most cases.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
though bash is included in LSB profile, it doesn't use update-alternative
to take effect and thus it's still busybox behaving as /bin/sh.
Signed-off-by: Kevin Tian <kevin.tian@intel.com>
Having one monolithic packages directory makes it hard to find things
and is generally overwhelming. This commit splits it into several
logical sections roughly based on function, recipes.txt gives more
information about the classifications used.
The opportunity is also used to switch from "packages" to "recipes"
as used in OpenEmbedded as the term "packages" can be confusing to
people and has many different meanings.
Not all recipes have been classified yet, this is just a first pass
at separating things out. Some packages are moved to meta-extras as
they're no longer actively used or maintained.
Signed-off-by: Richard Purdie <rpurdie@linux.intel.com>
Catalin Popeanga
Paul Eggleton
Khem Raj
Ross Burton
Bian Naimeng
Muhammad Shakeel
Björn Stenberg
Saul Wold
Christopher Larson
Martin Ertsaas
Richard Purdie
Otavio Salvador
Scott Garman
Jingdong Lu
Tom Rini
Mark Hatle
Kevin Tian
Richard Purdie
Qing He