On 9/26/14, 4:53 AM, Jean-Christian de Rivaz wrote:
> Hello,
>
> While this can seem completely obsolete, I still have machines running bash
> 2.05b (Debian etch). I worry about upgrading to bash 3.x because of some
> backward compatibility issue.
> It there any reason why there was no patch for bash 2.05b ? The test
> command below show that the bug also affect this version:
>
> j$ bash --version
> GNU bash, version 2.05b.0(1)-release (i386-pc-linux-gnu)
> Copyright (C) 2002 Free Software Foundation, Inc.
> j$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> vulnerable
> this is a test
Here's one. Two, actually, one for each CVE.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU c...@case.edu http://cnswww.cns.cwru.edu/~chet/
BASH PATCH REPORT
=================
Bash-Release: 2.05b
Patch-ID: bash205b-008
Bug-Reported-by: Stephane Chazelas <stephane.chaze...@gmail.com>
Bug-Reference-ID:
Bug-Reference-URL:
Bug-Description:
Under certain circumstances, bash will execute user code while processing the
environment for exported function definitions.
Patch:
*** ../bash-2.05b.07/builtins/common.h 2002-05-10 12:25:08.000000000 -0400
--- builtins/common.h 2014-09-25 10:18:20.000000000 -0400
***************
*** 33,36 ****
--- 33,38 ----
/* Flags for describe_command, shared between type.def and command.def */
+ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
+ #define SEVAL_ONECMD 0x100 /* only allow a single command */
#define CDESC_ALL 0x001 /* type -a */
#define CDESC_SHORTDESC 0x002 /* command -V */
*** ../bash-2.05b.07/builtins/evalstring.c 2002-04-04 13:38:50.000000000
-0500
--- builtins/evalstring.c 2014-09-25 10:18:20.000000000 -0400
***************
*** 205,208 ****
--- 205,216 ----
struct fd_bitmap *bitmap;
+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+ {
+ internal_warning ("%s: ignoring function definition attempt",
from_file);
+ should_jump_to_top_level = 0;
+ last_result = last_command_exit_value = EX_BADUSAGE;
+ break;
+ }
+
bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
begin_unwind_frame ("pe_dispose");
***************
*** 256,259 ****
--- 264,270 ----
dispose_fd_bitmap (bitmap);
discard_unwind_frame ("pe_dispose");
+
+ if (flags & SEVAL_ONECMD)
+ break;
}
}
*** ../bash-2.05b.07/variables.c 2002-06-25 09:43:33.000000000 -0400
--- variables.c 2014-09-25 10:18:20.000000000 -0400
***************
*** 270,279 ****
strcpy (temp_string + char_index + 1, string);
! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
!
! /* Ancient backwards compatibility. Old versions of bash exported
! functions like name()=() {...} */
! if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
! name[char_index - 2] = '\0';
if (temp_var = find_function (name))
--- 270,277 ----
strcpy (temp_string + char_index + 1, string);
! /* Don't import function names that are invalid identifiers from the
! environment. */
! if (legal_identifier (name))
! parse_and_execute (temp_string, name,
SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
if (temp_var = find_function (name))
***************
*** 284,291 ****
else
report_error ("error importing function definition for `%s'", name);
-
- /* ( */
- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
- name[char_index - 2] = '('; /* ) */
}
#if defined (ARRAY_VARS)
--- 282,285 ----
BASH PATCH REPORT
=================
Bash-Release: 2.05b
Patch-ID: bash205b-009
Bug-Reported-by: Tavis Ormandy <tav...@cmpxchg8b.com>
Bug-Reference-ID:
Bug-Reference-URL: http://twitter.com/taviso/statuses/514887394294652929
Bug-Description:
Under certain circumstances, bash can incorrectly save a lookahead character and
return it on a subsequent call, even when reading a new line.
Patch:
*** ../bash-2.05b.08/parse.y 2002-05-21 11:57:30.000000000 -0400
--- parse.y 2014-09-25 16:46:51.000000000 -0400
***************
*** 2356,2359 ****
--- 2356,2361 ----
word_desc_to_read = (WORD_DESC *)NULL;
+ eol_ungetc_lookahead = 0;
+
last_read_token = '\n';
token_to_read = '\n';
*** ../bash-2.05b.08/y.tab.c 2002-05-21 11:57:35.000000000 -0400
--- y.tab.c 2014-09-25 16:56:20.000000000 -0400
***************
*** 3877,3880 ****
--- 3877,3882 ----
word_desc_to_read = (WORD_DESC *)NULL;
+ eol_ungetc_lookahead = 0;
+
last_read_token = '\n';
token_to_read = '\n';
