-
-
Save ChrisRuss/f2eb63686540ed9b00f6 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BASH PATCH REPORT | |
| ================= | |
| Bash-Release: 3.2 | |
| Patch-ID: bash32-053 | |
| Bug-Reported-by: ?? | |
| Bug-Reference-ID: CV-2014-7169 | |
| Bug-Reference-URL: | |
| Bug-Description: | |
| Shellshock V2... | |
| Patch (apply with `patch -p0'): | |
| *** ../bash-3.2.52/parse.y 2008-04-29 21:24:55.000000000 -0400 | |
| +++ parse.y 2014-09-25 17:59:33.488769406 +0200 | |
| @@ -253,9 +253,21 @@ | |
| /* Variables to manage the task of reading here documents, because we need to | |
| defer the reading until after a complete command has been collected. */ | |
| -static REDIRECT *redir_stack[10]; | |
| +static REDIRECT **redir_stack; | |
| int need_here_doc; | |
| +/* Pushes REDIR onto redir_stack, resizing it as needed. */ | |
| +static void | |
| +push_redir_stack (REDIRECT *redir) | |
| +{ | |
| + /* Guard against oveflow. */ | |
| + if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack)) | |
| + abort (); | |
| + redir_stack = xrealloc (redir_stack, | |
| + (need_here_doc + 1) * sizeof (*redir_stack)); | |
| + redir_stack[need_here_doc++] = redir; | |
| +} | |
| + | |
| /* Where shell input comes from. History expansion is performed on each | |
| line when the shell is interactive. */ | |
| static char *shell_input_line = (char *)NULL; | |
| @@ -424,13 +436,13 @@ | |
| { | |
| redir.filename = $2; | |
| $$ = make_redirection (0, r_reading_until, redir); | |
| - redir_stack[need_here_doc++] = $$; | |
| + push_redir_stack ($$); | |
| } | |
| | NUMBER LESS_LESS WORD | |
| { | |
| redir.filename = $3; | |
| $$ = make_redirection ($1, r_reading_until, redir); | |
| - redir_stack[need_here_doc++] = $$; | |
| + push_redir_stack ($$); | |
| } | |
| | LESS_LESS_LESS WORD | |
| { | |
| @@ -487,14 +499,14 @@ | |
| redir.filename = $2; | |
| $$ = make_redirection | |
| (0, r_deblank_reading_until, redir); | |
| - redir_stack[need_here_doc++] = $$; | |
| + push_redir_stack ($$); | |
| } | |
| | NUMBER LESS_LESS_MINUS WORD | |
| { | |
| redir.filename = $3; | |
| $$ = make_redirection | |
| ($1, r_deblank_reading_until, redir); | |
| - redir_stack[need_here_doc++] = $$; | |
| + push_redir_stack ($$); | |
| } | |
| | GREATER_AND '-' | |
| { | |
| @@ -3767,7 +3779,7 @@ | |
| case CASE: | |
| case SELECT: | |
| case FOR: | |
| - if (word_top < MAX_CASE_NEST) | |
| + if (word_top + 1 < MAX_CASE_NEST) | |
| word_top++; | |
| word_lineno[word_top] = line_number; | |
| break; | |
| *** ../bash-3.2.52/parse.y 2008-04-29 21:24:55.000000000 -0400 | |
| --- parse.y 2014-09-25 16:18:41.000000000 -0400 | |
| *************** | |
| *** 2504,2507 **** | |
| --- 2504,2509 ---- | |
| word_desc_to_read = (WORD_DESC *)NULL; | |
| + eol_ungetc_lookahead = 0; | |
| + | |
| last_read_token = '\n'; | |
| token_to_read = '\n'; | |
| *** ../bash-3.2/patchlevel.h Thu Apr 13 08:31:04 2006 | |
| --- patchlevel.h Mon Oct 16 14:22:54 2006 | |
| *************** | |
| *** 26,30 **** | |
| looks for to find the patch level (for the sccs version string). */ | |
| ! #define PATCHLEVEL 52 | |
| #endif /* _PATCHLEVEL_H_ */ | |
| --- 26,30 ---- | |
| looks for to find the patch level (for the sccs version string). */ | |
| ! #define PATCHLEVEL 53 | |
| #endif /* _PATCHLEVEL_H_ */ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # inspired by http://askubuntu.com/a/528171 | |
| # prerequisites | |
| sudo apt-get install bison | |
| # get bash 3.2 source | |
| mkdir src && cd src | |
| wget http://ftp.gnu.org/gnu/bash/bash-3.2.tar.gz | |
| tar zxvf bash-3.2.tar.gz | |
| cd bash-3.2 | |
| # get the gpg keyring for verification | |
| wget -nv ftp://ftp.gnu.org/gnu/gnu-keyring.gpg | |
| # download and apply all patches, including the latest one that patches CVE-2014-6271 | |
| for i in $(seq -f "%03g" 1 52); do | |
| wget -nv https://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-$i | |
| wget -nv https://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-$i.sig | |
| if gpg --verify --keyring ./gnu-keyring.gpg bash32-$i.sig; then | |
| patch -p0 < bash32-$i | |
| else | |
| echo "patch bash32-${i} has a bad signature!" | |
| exit 1 | |
| fi | |
| done | |
| # Get temporary CV-2014-7169 patch | |
| wget -nv https://gist.github.com/ChrisRuss/f2eb63686540ed9b00f6/raw/e8381b76573ea3dce150860501bd433979564d1e/bash32-053.patch | |
| patch -p0 < bash32-053 | |
| # compile and install to /usr/local/bin/bash | |
| ./configure && make | |
| sudo make install | |
| # point /bin/bash to the new binary | |
| sudo mv /bin/bash /bin/bash.old | |
| sudo ln -s /usr/local/bin/bash /bin/bash | |
| # test by comparing the output of the following | |
| env x='() { :;}; echo vulnerable' /bin/bash.old -c echo | |
| env x='() { :;}; echo vulnerable' bash -c echo | |
| env X='() { (a)=>\' sh -c "echo date"; cat echo |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I put together current patches to temp fix bash 3.2 for debian lenny.
Patches combined from:
http://seclists.org/oss-sec/2014/q3/712
(http://seclists.org/oss-sec/2014/q3/att-712/parser-oob-3_2.patch)
and
http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an
=> See Status => http://alblue.bandlem.com/ => http://alblue.bandlem.com/bash32-053.patch