Specially crafted SHELLOPTS+PS4 variables allows command substitution References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7543 http://lists.gnu.org/archive/html/bug-bash/2016-10/msg00009.html
Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com> --- .../recipes-extended/bash/bash/CVE-2016-7543.patch | 38 ++++++++++++++++++++++ meta/recipes-extended/bash/bash_4.3.30.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-extended/bash/bash/CVE-2016-7543.patch diff --git a/meta/recipes-extended/bash/bash/CVE-2016-7543.patch b/meta/recipes-extended/bash/bash/CVE-2016-7543.patch new file mode 100644 index 0000000..7c9a9c6 --- /dev/null +++ b/meta/recipes-extended/bash/bash/CVE-2016-7543.patch @@ -0,0 +1,38 @@ +bash: fix CVE-2016-7543 + +Bug-Reference-URL: +http://lists.gnu.org/archive/html/bug-bash/2015-12/msg00054.html + +Bug-Description: + +If a malicious user can inject a value of $SHELLOPTS containing `xtrace' +and a value for $PS4 that includes a command substitution into a shell +running as root, bash will expand the command substitution as part of +expanding $PS4 when it executes a traced command. + +Patch (apply with `patch -p0'): + +CVE: CVE-2016-7543 +Upstream-Status: Backport +[changes in patchlevel.h has been removed from original patch] + +Reference to upstream patch: +http://lists.gnu.org/archive/html/bug-bash/2016-10/msg00009.html + +Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com> +diff -Nurp a/variables.c b/variables.c +--- a/variables.c 2016-12-05 09:49:39.552587211 +0100 ++++ b/variables.c 2016-12-05 09:52:00.406522230 +0100 +@@ -495,7 +495,11 @@ initialize_shell_variables (env, privmod + #endif + set_if_not ("PS2", secondary_prompt); + } +- set_if_not ("PS4", "+ "); ++ ++ if (current_user.euid == 0) ++ bind_variable ("PS4", "+ ", 0); ++ else ++ set_if_not ("PS4", "+ "); + + /* Don't allow IFS to be imported from the environment. */ + temp_var = bind_variable ("IFS", " \t\n", 0); diff --git a/meta/recipes-extended/bash/bash_4.3.30.bb b/meta/recipes-extended/bash/bash_4.3.30.bb index fcd6caf..fdad39b 100644 --- a/meta/recipes-extended/bash/bash_4.3.30.bb +++ b/meta/recipes-extended/bash/bash_4.3.30.bb @@ -22,6 +22,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \ file://run-ptest \ file://fix-run-builtins.patch \ file://CVE-2016-0634.patch;striplevel=0 \ + file://CVE-2016-7543.patch \ " SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447" -- 1.9.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core