![]() |
|
Date: Thu, 25 Sep 2014 23:19:24 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com Subject: Fwd: Non-upstream patches for bash Hi All, Based on the current situation and the fact that there is confusion about what patch to use for the bash issue. I wanted to post this here. We have found a few more issues (OOB memory access). Also I am posting Florain's patch here which should fix the issue in a more deeper way rather than just apply duct-tape. Any feed back etc is welcome! -------- Forwarded Message -------- Subject: Non-upstream patches for bash Date: Thu, 25 Sep 2014 19:37:36 +0200 From: Florian Weimer <fweimer@...hat.com> To: Huzaifa Sidhpurwala <huzaifas@...hat.com>, Joshua Bressers <bressers@...hat.com> Note that if you ship 4.3, you might want to reevaluate a decision to enable array variable import from the environment. Internal analysis revealed two out-of-bounds array accesses in the bash parser. This was also independently and privately reported by Todd Sabin <tsabin@...online.net>. The redir_stack issue is this: $ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: make_here_document: bad instruction type 33 Segmentation fault (core dumped) The word_lineno issue is this (only visible with address sanitizer, but it's probably to come up with something better): $ (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) > test-script.sh $ bash test-script.sh Both issues are fixed by the parser-oob patches. I'm also including the function definition affix patch which has already been posted to oss-security. (variables-affix-3.0.patch has only seen very light review and testing yet, but it's a fairly straightforward backport.) You'll also want Chet's one-liner patch posted to oss-security. -- Florian Weimer / Red Hat Product Security View attachment "parser-oob-4.2.patch" of type "text/x-patch" (2567 bytes) View attachment "variables-affix-3.0.patch" of type "text/x-patch" (5416 bytes) View attachment "parser-oob-3.2.patch" of type "text/x-patch" (1980 bytes) View attachment "variables-affix-4.2.patch" of type "text/x-patch" (5114 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.