If security_flags.inc is included then bash 3.2.48 fails to build:
| ../bash-3.2.48/print_cmd.c:1152:3: error: format not a string literal and no format arguments [-Werror=format-security]
| cprintf (indentation_string);
Backport a patch from upstream to solve this.
(From OE-Core rev: 293d90d757d0d1e292c90cb0e9c576faf911ffcc)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Building the host tool 'mkbuiltins' will fail if the target CFLAGS
contains an option which isn't supported by the host's gcc. To prevent
the issue, define LDFLAGS_FOR_BUILD based on CFLAGS_FOR_BUILD instead
of CFLAGS.
(From OE-Core rev: 7a8ec63f38f7a387e01343fbb971b75a66e0f851)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We upgrade bash_4.3 to patch revision 29, and bash_3.2.48 to 56.
There are numerous community bug fixes included with this set, but the key
items are:
bash32-052 CVE-2014-6271 9/24/2014
bash32-053 CVE-2014-7169 9/26/2014
bash32-054 exported function namespace change 9/27/2014
bash32-055 CVE-2014-7186/CVE-2014-7187 10/1/2014
bash32-056 CVE-2014-6277 10/2/2014
bash43-025 CVE-2014-6271 9/24/2014
bash43-026 CVE-2014-7169 9/26/2014
bash43-027 exported function namespace change 9/27/2014
bash43-028 CVE-2014-7186/CVE-2014-7187 10/1/2014
bash43-029 CVE-2014-6277 10/2/2014
(From OE-Core rev: 43deeff0c6b0ea7729d3e5f1887dfd1647dea1da)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a followup patch to incomplete CVE-2014-6271 fix
code execution via specially-crafted environment
Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
(From OE-Core rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
(From OE-Core rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ptest support was already added for v4.2 but for the distros
using GPLv2 version of bash (3.2.48) this update is required.
(From OE-Core rev: d054da760deda0c965619372209b50f8db964e1c)
Signed-off-by: Muhammad Shakeel <muhammad_shakeel@mentor.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>