Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 385460 Details for
Bug 523742
<app-shells/bash-{3.1_p21, 3.2_p55, 4.0_p42, 4.1_p15, 4.2_p51}: Two out-of-bounds array accesses in the bash parser (CVE-2014-{7186,7187})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
variables-affix.patch
variables-affix.patch (text/plain), 4.99 KB, created by
kfm
on 2014-09-25 22:39:27 UTC
(
hide
)
Description:
variables-affix.patch
Filename:
MIME Type:
Creator:
kfm
Created:
2014-09-25 22:39:27 UTC
Size:
4.99 KB
patch
obsolete
>--- a/bash/variables.c 2014-09-25 13:07:59.313209541 +0200 >+++ b/bash/variables.c 2014-09-25 13:15:29.869420719 +0200 >@@ -268,7 +268,7 @@ > static void propagate_temp_var __P((PTR_T)); > static void dispose_temporary_env __P((sh_free_func_t *)); > >-static inline char *mk_env_string __P((const char *, const char *)); >+static inline char *mk_env_string __P((const char *, const char *, int)); > static char **make_env_array_from_var_list __P((SHELL_VAR **)); > static char **make_var_export_array __P((VAR_CONTEXT *)); > static char **make_func_export_array __P((void)); >@@ -301,6 +301,14 @@ > #endif > } > >+/* Prefix and suffix for environment variable names which contain >+ shell functions. */ >+#define FUNCDEF_PREFIX "BASH_FUNC_" >+#define FUNCDEF_PREFIX_LEN (strlen (FUNCDEF_PREFIX)) >+#define FUNCDEF_SUFFIX "()" >+#define FUNCDEF_SUFFIX_LEN (strlen (FUNCDEF_SUFFIX)) >+ >+ > /* Initialize the shell variables from the current environment. > If PRIVMODE is nonzero, don't import functions from ENV or > parse $SHELLOPTS. */ >@@ -338,27 +346,39 @@ > > /* If exported function, define it now. Don't import functions from > the environment in privileged mode. */ >- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4)) >- { >- string_length = strlen (string); >- temp_string = (char *)xmalloc (3 + string_length + char_index); >+ if (privmode == 0 && read_but_dont_execute == 0 >+ && STREQN (FUNCDEF_PREFIX, name, FUNCDEF_PREFIX_LEN) >+ && STREQ (name + char_index - FUNCDEF_SUFFIX_LEN, FUNCDEF_SUFFIX) >+ && STREQN ("() {", string, 4)) >+ { >+ size_t name_length >+ = char_index - (FUNCDEF_PREFIX_LEN + FUNCDEF_SUFFIX_LEN); >+ char *temp_name = name + FUNCDEF_PREFIX_LEN; >+ /* Temporarily remove the suffix. */ >+ temp_name[name_length] = '\0'; > >- strcpy (temp_string, name); >- temp_string[char_index] = ' '; >- strcpy (temp_string + char_index + 1, string); >+ string_length = strlen (string); >+ temp_string = (char *)xmalloc (name_length + 1 + string_length + 1); >+ memcpy (temp_string, temp_name, name_length); >+ temp_string[name_length] = ' '; >+ memcpy (temp_string + name_length + 1, string, string_length + 1); > > /* Don't import function names that are invalid identifiers from the > environment. */ >- if (legal_identifier (name)) >- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); >+ if (legal_identifier (temp_name)) >+ parse_and_execute (temp_string, temp_name, >+ SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); > >- if (temp_var = find_function (name)) >+ if (temp_var = find_function (temp_name)) > { > VSETATTR (temp_var, (att_exported|att_imported)); > array_needs_making = 1; > } > else > report_error (_("error importing function definition for `%s'"), name); >+ >+ /* Restore the original suffix. */ >+ temp_name[name_length] = FUNCDEF_SUFFIX[0]; > } > #if defined (ARRAY_VARS) > # if 0 >@@ -2537,7 +2557,7 @@ > var->context = variable_context; /* XXX */ > > INVALIDATE_EXPORTSTR (var); >- var->exportstr = mk_env_string (name, value); >+ var->exportstr = mk_env_string (name, value, 0); > > array_needs_making = 1; > >@@ -3388,22 +3408,43 @@ > /* */ > /* **************************************************************** */ > >+/* Returns the string NAME=VALUE if !FUNCTIONP or if VALUE == NULL (in >+ which case it is treated as empty). Otherwise, decorate NAME with >+ FUNCDEF_PREFIX and FUNCDEF_SUFFIX, and return a string of the form >+ FUNCDEF_PREFIX NAME FUNCDEF_SUFFIX = VALUE (without spaces). */ > static inline char * >-mk_env_string (name, value) >+mk_env_string (name, value, functionp) > const char *name, *value; >+ int functionp; > { >- int name_len, value_len; >- char *p; >+ size_t name_len, value_len; >+ char *p, *q; > > name_len = strlen (name); > value_len = STRLEN (value); >- p = (char *)xmalloc (2 + name_len + value_len); >- strcpy (p, name); >- p[name_len] = '='; >+ if (functionp && value != NULL) >+ { >+ p = (char *)xmalloc (FUNCDEF_PREFIX_LEN + name_len + FUNCDEF_SUFFIX_LEN >+ + 1 + value_len + 1); >+ q = p; >+ memcpy (q, FUNCDEF_PREFIX, FUNCDEF_PREFIX_LEN); >+ q += FUNCDEF_PREFIX_LEN; >+ memcpy (q, name, name_len); >+ q += name_len; >+ memcpy (q, FUNCDEF_SUFFIX, FUNCDEF_SUFFIX_LEN); >+ q += FUNCDEF_SUFFIX_LEN; >+ } >+ else >+ { >+ p = (char *)xmalloc (name_len + 1 + value_len + 1); >+ memcpy (p, name, name_len); >+ q = p + name_len; >+ } >+ q[0] = '='; > if (value && *value) >- strcpy (p + name_len + 1, value); >+ memcpy (q + 1, value, value_len + 1); > else >- p[name_len + 1] = '\0'; >+ q[1] = '\0'; > return (p); > } > >@@ -3489,7 +3530,7 @@ > /* Gee, I'd like to get away with not using savestring() if we're > using the cached exportstr... */ > list[list_index] = USE_EXPORTSTR ? savestring (value) >- : mk_env_string (var->name, value); >+ : mk_env_string (var->name, value, function_p (var)); > > if (USE_EXPORTSTR == 0) > SAVE_EXPORTSTR (var, list[list_index]); >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=385460">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 523742
: 385460 |
385462
