File: CVE-2014-6271.diff

package info (click to toggle)
bash 4.2%2Bdfsg-0.1%2Bdeb7u3
  • links: PTS, VCS
  • area: main
  • in suites: wheezy
  • size: 3,308 kB
  • sloc: ansic: 452; sh: 418; makefile: 385
file content (71 lines) | stat: -rw-r--r-- 2,598 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
diff -ur a/bash/builtins/common.h b/bash/builtins/common.h
--- a/bash/builtins/common.h	2010-05-31 00:31:51.000000000 +0200
+++ b/bash/builtins/common.h	2014-09-22 17:36:02.234989886 +0200
@@ -35,6 +35,8 @@
 #define SEVAL_NOLONGJMP 0x040
 
 /* Flags for describe_command, shared between type.def and command.def */
+#define SEVAL_FUNCDEF	0x080		/* only allow function definitions */
+#define SEVAL_ONECMD	0x100		/* only allow a single command */
 #define CDESC_ALL		0x001	/* type -a */
 #define CDESC_SHORTDESC		0x002	/* command -V */
 #define CDESC_REUSABLE		0x004	/* command -v */
diff -ur a/bash/builtins/evalstring.c b/bash/builtins/evalstring.c
--- a/bash/builtins/evalstring.c	2010-11-23 14:22:15.000000000 +0100
+++ b/bash/builtins/evalstring.c	2014-09-22 17:36:02.234989886 +0200
@@ -261,6 +261,14 @@
 	    {
 	      struct fd_bitmap *bitmap;
 
+	      if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+		{
+		  internal_warning ("%s: ignoring function definition attempt", from_file);
+		  should_jump_to_top_level = 0;
+		  last_result = last_command_exit_value = EX_BADUSAGE;
+		  break;
+		}
+
 	      bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
 	      begin_unwind_frame ("pe_dispose");
 	      add_unwind_protect (dispose_fd_bitmap, bitmap);
@@ -321,6 +329,9 @@
 	      dispose_command (command);
 	      dispose_fd_bitmap (bitmap);
 	      discard_unwind_frame ("pe_dispose");
+
+	      if (flags & SEVAL_ONECMD)
+		break;
 	    }
 	}
       else
diff -ur a/bash/variables.c b/bash/variables.c
--- a/bash/variables.c	2011-01-25 02:07:48.000000000 +0100
+++ b/bash/variables.c	2014-09-22 17:36:02.238989968 +0200
@@ -347,12 +347,10 @@
 	  temp_string[char_index] = ' ';
 	  strcpy (temp_string + char_index + 1, string);
 
-	  parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
-
-	  /* Ancient backwards compatibility.  Old versions of bash exported
-	     functions like name()=() {...} */
-	  if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
-	    name[char_index - 2] = '\0';
+	  /* Don't import function names that are invalid identifiers from the
+	     environment. */
+	  if (legal_identifier (name))
+	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
 
 	  if (temp_var = find_function (name))
 	    {
@@ -361,10 +359,6 @@
 	    }
 	  else
 	    report_error (_("error importing function definition for `%s'"), name);
-
-	  /* ( */
-	  if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
-	    name[char_index - 2] = '(';		/* ) */
 	}
 #if defined (ARRAY_VARS)
 #  if 0