Bash-4.3 Official Patch 47

2016-10-04 Thread Chet Ramey 
 BASH PATCH REPORT
 =

Bash-Release:   4.3
Patch-ID:   bash43-047

Bug-Reported-by:Bernd Dietzel
Bug-Reference-ID:
Bug-Reference-URL:  
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025

Bug-Description:

Bash performs word expansions on the prompt strings after the special
escape sequences are expanded.  If a malicious user can modify the system
hostname or change the name of the bash executable and coerce a user into
executing it, and the new name contains word expansions (including
command substitution), bash will expand them in prompt strings containing
the \h or \H and \s escape sequences, respectively.

Patch (apply with `patch -p0'):

*** ../bash-4.3-patched/parse.y 2015-08-13 15:11:54.0 -0400
--- parse.y 2016-03-07 15:44:14.0 -0500
***
*** 5259,5263 
int result_size, result_index;
int c, n, i;
!   char *temp, octal_string[4];
struct tm *tm;  
time_t the_time;
--- 5259,5263 
int result_size, result_index;
int c, n, i;
!   char *temp, *t_host, octal_string[4];
struct tm *tm;  
time_t the_time;
***
*** 5407,5411 
case 's':
  temp = base_pathname (shell_name);
! temp = savestring (temp);
  goto add_string;
  
--- 5407,5415 
case 's':
  temp = base_pathname (shell_name);
! /* Try to quote anything the user can set in the file system */
! if (promptvars || posixly_correct)
!   temp = sh_backslash_quote_for_double_quotes (temp);
! else
!   temp = savestring (temp);
  goto add_string;
  
***
*** 5497,5503 
case 'h':
case 'H':
! temp = savestring (current_host_name);
! if (c == 'h' && (t = (char *)strchr (temp, '.')))
*t = '\0';
  goto add_string;
  
--- 5501,5515 
case 'h':
case 'H':
! t_host = savestring (current_host_name);
! if (c == 'h' && (t = (char *)strchr (t_host, '.')))
*t = '\0';
+ if (promptvars || posixly_correct)
+   /* Make sure that expand_prompt_string is called with a
+  second argument of Q_DOUBLE_QUOTES if we use this
+  function here. */
+   temp = sh_backslash_quote_for_double_quotes (t_host);
+ else
+   temp = savestring (t_host);
+ free (t_host);
  goto add_string;
  
*** ../bash-4.3-patched/y.tab.c 2015-08-13 15:11:54.0 -0400
--- y.tab.c 2016-03-07 15:44:14.0 -0500
***
*** 7571,7575 
int result_size, result_index;
int c, n, i;
!   char *temp, octal_string[4];
struct tm *tm;  
time_t the_time;
--- 7571,7575 
int result_size, result_index;
int c, n, i;
!   char *temp, *t_host, octal_string[4];
struct tm *tm;  
time_t the_time;
***
*** 7719,7723 
case 's':
  temp = base_pathname (shell_name);
! temp = savestring (temp);
  goto add_string;
  
--- 7719,7727 
case 's':
  temp = base_pathname (shell_name);
! /* Try to quote anything the user can set in the file system */
! if (promptvars || posixly_correct)
!   temp = sh_backslash_quote_for_double_quotes (temp);
! else
!   temp = savestring (temp);
  goto add_string;
  
***
*** 7809,7815 
case 'h':
case 'H':
! temp = savestring (current_host_name);
! if (c == 'h' && (t = (char *)strchr (temp, '.')))
*t = '\0';
  goto add_string;
  
--- 7813,7827 
case 'h':
case 'H':
! t_host = savestring (current_host_name);
! if (c == 'h' && (t = (char *)strchr (t_host, '.')))
*t = '\0';
+ if (promptvars || posixly_correct)
+   /* Make sure that expand_prompt_string is called with a
+  second argument of Q_DOUBLE_QUOTES if we use this
+  function here. */
+   temp = sh_backslash_quote_for_double_quotes (t_host);
+ else
+   temp = savestring (t_host);
+ free (t_host);
  goto add_string;
  
*** ../bash-4.3/patchlevel.h2012-12-29 10:47:57.0 -0500
--- patchlevel.h2014-03-20 20:01:28.0 -0400
***
*** 26,30 
 looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 46
  
  #endif /* _PATCHLEVEL_H_ */
--- 26,30 
 looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 47
  
  #endif /* _PATCHLEVEL_H_ */

-- 
``The lyf so short, the craft

Bash-4.3 Official Patch 48

2016-10-04 Thread Chet Ramey 
 BASH PATCH REPORT
 =

Bash-Release:   4.3
Patch-ID:   bash43-048

Bug-Reported-by:up201407...@alunos.dcc.fc.up.pt
Bug-Reference-ID:   
<20151210201649.126444eionzfs...@webmail.alunos.dcc.fc.up.pt>
Bug-Reference-URL:  
http://lists.gnu.org/archive/html/bug-bash/2015-12/msg00054.html

Bug-Description:

If a malicious user can inject a value of $SHELLOPTS containing `xtrace'
and a value for $PS4 that includes a command substitution into a shell
running as root, bash will expand the command substitution as part of
expanding $PS4 when it executes a traced command.

Patch (apply with `patch -p0'):

*** ../bash-4.3-patched/variables.c 2015-11-26 12:31:21.0 -0500
--- variables.c 2015-12-23 10:19:01.0 -0500
***
*** 496,500 
set_if_not ("PS2", secondary_prompt);
  }
!   set_if_not ("PS4", "+ ");
  
/* Don't allow IFS to be imported from the environment. */
--- 496,504 
set_if_not ("PS2", secondary_prompt);
  }
! 
!   if (current_user.euid == 0)
! bind_variable ("PS4", "+ ", 0);
!   else
! set_if_not ("PS4", "+ ");
  
/* Don't allow IFS to be imported from the environment. */

*** ../bash-4.3/patchlevel.h2012-12-29 10:47:57.0 -0500
--- patchlevel.h2014-03-20 20:01:28.0 -0400
***
*** 26,30 
 looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 47
  
  #endif /* _PATCHLEVEL_H_ */
--- 26,30 
 looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 48
  
  #endif /* _PATCHLEVEL_H_ */

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/