diff options
author | Andrew Geissler <geissonator@yahoo.com> | 2020-10-02 17:45:00 +0300 |
---|---|---|
committer | Andrew Geissler <geissonator@yahoo.com> | 2020-10-06 01:10:26 +0300 |
commit | c3d88e4d9fcc08e1aae7cc9d0337c0261e996c64 (patch) | |
tree | 71525085ecd2a7680c898d5fee83dbd8902ee1bf /poky/meta/recipes-extended/bash | |
parent | c9f7865a347606a64696048817b0f09d9c3fcd31 (diff) | |
download | openbmc-c3d88e4d9fcc08e1aae7cc9d0337c0261e996c64.tar.xz |
poky: subtree update:c6bc20857c..b23aa6b753
Anatol Belski (1):
bitbake: bitbake: hashserv: Fix localhost sometimes resolved to a wrong IP
Andrew Geissler (1):
systemd: Upgrade v246.2 -> v246.6
Anibal Limon (1):
mesa: update 20.1.6 -> 20.1.8
Bruce Ashfield (2):
linux-yocto/beaglebone: Switch to sdhci-omap driver
kernel-yocto: add KBUILD_DEFCONFIG search location to failure message
Changqing Li (1):
sysklogd: fix parallel build issue
Charlie Davies (2):
bitbake: bitbake: fetch/git: add support for SRC_URI containing spaces in url
bitbake: bitbake: tests/fetch: add unit tests for SRC_URI with spaces in url
Chee Yang Lee (1):
bash : include patch 17 & 18
Chen Qi (2):
populate_sdk_ext.bbclass: add ESDK_MANIFEST_EXCLUDES
testsdk.py: remove workspace/sources to avoid failure in case of multilib
Chris Laplante (3):
bitbake.conf: add name of multiconfig to BUILDCFG_HEADER when multiconfig is active
cve-check: introduce CVE_CHECK_RECIPE_FILE variable to allow changing of per-recipe check file
cve-check: add CVE_CHECK_REPORT_PATCHED variable to suppress reporting of patched CVEs
Christian Eggers (1):
packagegroup: rrecommend perf also for musl on ARM
De Huo (1):
bash: fix CVE-2019-18276
Jean-Francois Dagenais (2):
bitbake: bitbake: tests/siggen: introduce clean_basepath testcases
bitbake: bitbake: siggen: clean_basepath: improve perfo and readability
Jens Rehsack (1):
image-artifact-names: make variables overridable
Jon Mason (1):
Space-comma Cleanups
Jonathan Richardson (1):
cortex-m0.inc: Add tuning for cortex-m0
Kai Kang (2):
systemd: disable xdg-autostart generator by default
kea: fix conflict between multilibs
Khairul Rohaizzat Jamaluddin (1):
sphinx: ref-variables: Added entry for IMAGE_EFI_BOOT_FILES
Khem Raj (6):
ncurses: Create alternative symlinks for st and st-256color
packagegroups: remove strace and lttng-tools for rv32/musl
qemuboot: Add QB_RNG variable
gettext: Fix ptest failure
ptest-runner: Backport patch to fix inappropriate ioctl error
systemd: Drop 0023-Fix-field-efi_loader_entry_one_shot_stat-has-incompl.patch
Konrad Weihmann (1):
testexport: rename create_tarball method
Leif Middelschulte (2):
bitbake: fetch2: fix handling of `\` in file:// SRC_URI
bitbake: tests/fetch: backslash support in file:// URIs
Mark Jonas (2):
Add license text for PSF-2.0
Map license names PSF and PSFv2 to PSF-2.0
Mingli Yu (3):
kea: create /var/lib/kea and /var/run/kea folder
bind: remove -r option for rndc-confgen
debianutils: update the debian snapshot version
Nicolas Dechesne (3):
sphinx: report errors when dependencies are not met
README: include detailed information about sphinx
sphinx: fix up some trademark and branding issues
Norman Stetter (1):
sstate.bbclass: Check file ownership before doing 'touch -a'
Otavio Salvador (1):
openssh: Allow enable/disable of rng-tools recommendation on sshd
Peter A. Bigot (1):
go-mod.bbclass: use append to add `modcacherw`
Quentin Schulz (2):
docs: static: theme_overrides.css: fix responsive design on <640px screens
docs: fix broken links
Randy MacLeod (1):
curl: Change SRC_URI from http to https
Rasmus Villemoes (1):
kernel.bbclass: ensure symlink_kernsrc task gets run even with externalsrc
Richard Purdie (15):
scripts/oe-build-perf-report: Use python3 from the environment
dropbear/openssh: Lower priority of key generation
oeqa/qemurunner: Increase serial timeout
python3-markupsafe: Import from meta-oe/meta-python
python3-jinja2: Import from meta-oe/meta-python
buildtools-tarball: Add python3-jinja2
buildtools-tarball: Fix conflicts with oe-selftest and other tooling
oeqa/selftest/incompatible_lib: Fix append usage
oeqa/selftest/containerimage: Update to match assumptions in configuration
ssh-pregen-hostkeys: Add a recipe with pregenerated ssh host keys
build-appliance-image: Update to master head revision
bitbake: Revert "bitbake-layers: add signal hander to avoid exception"
staging: Ensure cleaned dependencies are added
oeqa/selftest/devtool: Add sync call to test teardown
bitbake: cooker: Avoid tracebacks if data was never setup
Ross Burton (11):
gettext: no need to depend on bison-native
meta: add/fix invalid Upstream-Status tags
bitbake: taskexp: update for GTK API changes
glibc: make nscd optional
utils: respect scheduler affinity in cpu_count()
rpm: disable libarchive use
sstate: set mode explicitly when creating directories in sstate-cache
rpm: add PACKAGECONFIG for the systemd inhibit plugin
boost: move the build directory outside of S
bitbake: utils: add umask changing context manager
bitbake: siggen: use correct umask when writing siginfo
Saul Wold (2):
testimage: Add testimage_dump_target to kwargs
target/ssh.py: Add dump_target support
Teoh Jay Shen (1):
oeqa/runtime : add test for RTC(Real Time Clock)
Tim Orling (1):
oeqa/selftest/cases/devtool.py: avoid .pyc race
Usama Arif (1):
ref-manual: document authentication key variables
Wang Mingyu (1):
maintainers.inc: Add Zang Ruochen and Wang Mingyu for several recipes
Yi Zhao (4):
dhcpcd: pass --dbdir to EXTRA_OECONF to set database directory
dhcpcd: set --runstatedir to /run
dhcpcd: add dhcpcd user to support priviledge separation
dhcpcd: set service to conflict with connman
akuster (1):
libdrm: fix build failure
zangrc (4):
bind: upgrade 9.16.5 -> 9.16.7
stress-ng: upgrade 0.11.19 -> 0.11.21
pango: upgrade 1.46.1 -> 1.46.2
sudo: upgrade 1.9.2 -> 1.9.3
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I2c19d3b3793ee5a6f42e04817147d75f315943a5
Diffstat (limited to 'poky/meta/recipes-extended/bash')
-rw-r--r-- | poky/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch | 386 | ||||
-rw-r--r-- | poky/meta/recipes-extended/bash/bash_5.0.bb | 8 |
2 files changed, 394 insertions, 0 deletions
diff --git a/poky/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch b/poky/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch new file mode 100644 index 000000000..7b2073201 --- /dev/null +++ b/poky/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch @@ -0,0 +1,386 @@ +From 951bdaad7a18cc0dc1036bba86b18b90874d39ff Mon Sep 17 00:00:00 2001 +From: Chet Ramey <chet.ramey@case.edu> +Date: Mon, 1 Jul 2019 09:03:53 -0400 +Subject: [PATCH] commit bash-20190628 snapshot + +An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. +By default, if Bash is run with its effective UID not equal to its real UID, +it will drop privileges by setting its effective UID to its real UID. +However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, +the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for +runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore +regains privileges. However, binaries running with an effective UID of 0 are unaffected. + +Get the patch from [1] to fix the issue. + +Upstream-Status: Inappropriate [the upstream thinks it doesn't increase the credibility of CVEs in general] +CVE: CVE-2019-18276 + +[1] https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=951bdaa + +Signed-off-by: De Huo <De.Huo@windriver.com> +Signed-off-by: Kai Kang <kai.kang@windriver.com> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + MANIFEST | 2 ++ + bashline.c | 50 +------------------------------------------------- + builtins/help.def | 2 +- + config.h.in | 10 +++++++++- + configure.ac | 1 + + doc/bash.1 | 3 ++- + doc/bashref.texi | 3 ++- + lib/glob/glob.c | 5 ++++- + pathexp.c | 16 ++++++++++++++-- + shell.c | 8 ++++++++ + tests/glob.tests | 2 ++ + tests/glob6.sub | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + tests/glob7.sub | 11 +++++++++++ + 14 files changed, 122 insertions(+), 56 deletions(-) + create mode 100644 tests/glob6.sub + create mode 100644 tests/glob7.sub + +diff --git a/MANIFEST b/MANIFEST +index 03de221..f9ccad7 100644 +--- a/MANIFEST ++++ b/MANIFEST +@@ -1037,6 +1037,8 @@ tests/extglob3.tests f + tests/extglob3.right f + tests/extglob4.sub f + tests/extglob5.sub f ++tests/glob6.sub f ++tests/glob7.sub f + tests/func.tests f + tests/func.right f + tests/func1.sub f +diff --git a/bashline.c b/bashline.c +index 824ea9d..d86b47d 100644 +--- a/bashline.c ++++ b/bashline.c +@@ -3718,55 +3718,7 @@ static int + completion_glob_pattern (string) + char *string; + { +- register int c; +- char *send; +- int open; +- +- DECLARE_MBSTATE; +- +- open = 0; +- send = string + strlen (string); +- +- while (c = *string++) +- { +- switch (c) +- { +- case '?': +- case '*': +- return (1); +- +- case '[': +- open++; +- continue; +- +- case ']': +- if (open) +- return (1); +- continue; +- +- case '+': +- case '@': +- case '!': +- if (*string == '(') /*)*/ +- return (1); +- continue; +- +- case '\\': +- if (*string++ == 0) +- return (0); +- } +- +- /* Advance one fewer byte than an entire multibyte character to +- account for the auto-increment in the loop above. */ +-#ifdef HANDLE_MULTIBYTE +- string--; +- ADVANCE_CHAR_P (string, send - string); +- string++; +-#else +- ADVANCE_CHAR_P (string, send - string); +-#endif +- } +- return (0); ++ return (glob_pattern_p (string) == 1); + } + + static char *globtext; +diff --git a/builtins/help.def b/builtins/help.def +index 006c4b5..92f9b38 100644 +--- a/builtins/help.def ++++ b/builtins/help.def +@@ -128,7 +128,7 @@ help_builtin (list) + + /* We should consider making `help bash' do something. */ + +- if (glob_pattern_p (list->word->word)) ++ if (glob_pattern_p (list->word->word) == 1) + { + printf ("%s", ngettext ("Shell commands matching keyword `", "Shell commands matching keywords `", (list->next ? 2 : 1))); + print_word_list (list, ", "); +diff --git a/config.h.in b/config.h.in +index 8554aec..ad4b1e8 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -1,6 +1,6 @@ + /* config.h -- Configuration file for bash. */ + +-/* Copyright (C) 1987-2009,2011-2012 Free Software Foundation, Inc. ++/* Copyright (C) 1987-2009,2011-2012,2013-2019 Free Software Foundation, Inc. + + This file is part of GNU Bash, the Bourne Again SHell. + +@@ -807,6 +807,14 @@ + #undef HAVE_SETREGID + #undef HAVE_DECL_SETREGID + ++/* Define if you have the setregid function. */ ++#undef HAVE_SETRESGID ++#undef HAVE_DECL_SETRESGID ++ ++/* Define if you have the setresuid function. */ ++#undef HAVE_SETRESUID ++#undef HAVE_DECL_SETRESUID ++ + /* Define if you have the setvbuf function. */ + #undef HAVE_SETVBUF + +diff --git a/configure.ac b/configure.ac +index 52b4cdb..549adef 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -810,6 +810,7 @@ AC_CHECK_DECLS([confstr]) + AC_CHECK_DECLS([printf]) + AC_CHECK_DECLS([sbrk]) + AC_CHECK_DECLS([setregid]) ++AC_CHECK_DECLS[(setresuid, setresgid]) + AC_CHECK_DECLS([strcpy]) + AC_CHECK_DECLS([strsignal]) + +diff --git a/doc/bash.1 b/doc/bash.1 +index e6cd08d..9e58a0b 100644 +--- a/doc/bash.1 ++++ b/doc/bash.1 +@@ -4681,7 +4681,8 @@ above). + .PD + .SH "SIMPLE COMMAND EXPANSION" + When a simple command is executed, the shell performs the following +-expansions, assignments, and redirections, from left to right. ++expansions, assignments, and redirections, from left to right, in ++the following order. + .IP 1. + The words that the parser has marked as variable assignments (those + preceding the command name) and redirections are saved for later +diff --git a/doc/bashref.texi b/doc/bashref.texi +index d33cd57..3065126 100644 +--- a/doc/bashref.texi ++++ b/doc/bashref.texi +@@ -2964,7 +2964,8 @@ is not specified. If the file does not exist, it is created. + @cindex command expansion + + When a simple command is executed, the shell performs the following +-expansions, assignments, and redirections, from left to right. ++expansions, assignments, and redirections, from left to right, in ++the following order. + + @enumerate + @item +diff --git a/lib/glob/glob.c b/lib/glob/glob.c +index 398253b..2eaa33e 100644 +--- a/lib/glob/glob.c ++++ b/lib/glob/glob.c +@@ -607,6 +607,7 @@ glob_vector (pat, dir, flags) + register unsigned int i; + int mflags; /* Flags passed to strmatch (). */ + int pflags; /* flags passed to sh_makepath () */ ++ int hasglob; /* return value from glob_pattern_p */ + int nalloca; + struct globval *firstmalloc, *tmplink; + char *convfn; +@@ -648,10 +649,12 @@ glob_vector (pat, dir, flags) + patlen = (pat && *pat) ? strlen (pat) : 0; + + /* If the filename pattern (PAT) does not contain any globbing characters, ++ or contains a pattern with only backslash escapes (hasglob == 2), + we can dispense with reading the directory, and just see if there is + a filename `DIR/PAT'. If there is, and we can access it, just make the + vector to return and bail immediately. */ +- if (skip == 0 && glob_pattern_p (pat) == 0) ++ hasglob = 0; ++ if (skip == 0 && (hasglob = glob_pattern_p (pat)) == 0 || hasglob == 2) + { + int dirlen; + struct stat finfo; +diff --git a/pathexp.c b/pathexp.c +index c1bf2d8..e6c5392 100644 +--- a/pathexp.c ++++ b/pathexp.c +@@ -58,7 +58,10 @@ int extended_glob = EXTGLOB_DEFAULT; + /* Control enabling special handling of `**' */ + int glob_star = 0; + +-/* Return nonzero if STRING has any unquoted special globbing chars in it. */ ++/* Return nonzero if STRING has any unquoted special globbing chars in it. ++ This is supposed to be called when pathname expansion is performed, so ++ it implements the rules in Posix 2.13.3, specifically that an unquoted ++ slash cannot appear in a bracket expression. */ + int + unquoted_glob_pattern_p (string) + register char *string; +@@ -85,10 +88,14 @@ unquoted_glob_pattern_p (string) + continue; + + case ']': +- if (open) ++ if (open) /* XXX - if --open == 0? */ + return (1); + continue; + ++ case '/': ++ if (open) ++ open = 0; ++ + case '+': + case '@': + case '!': +@@ -106,6 +113,11 @@ unquoted_glob_pattern_p (string) + string++; + continue; + } ++ else if (open && *string == '/') ++ { ++ string++; /* quoted slashes in bracket expressions are ok */ ++ continue; ++ } + else if (*string == 0) + return (0); + +diff --git a/shell.c b/shell.c +index a2b2a55..6adabc8 100644 +--- a/shell.c ++++ b/shell.c +@@ -1293,7 +1293,11 @@ disable_priv_mode () + { + int e; + ++#if HAVE_DECL_SETRESUID ++ if (setresuid (current_user.uid, current_user.uid, current_user.uid) < 0) ++#else + if (setuid (current_user.uid) < 0) ++#endif + { + e = errno; + sys_error (_("cannot set uid to %d: effective uid %d"), current_user.uid, current_user.euid); +@@ -1302,7 +1306,11 @@ disable_priv_mode () + exit (e); + #endif + } ++#if HAVE_DECL_SETRESGID ++ if (setresgid (current_user.gid, current_user.gid, current_user.gid) < 0) ++#else + if (setgid (current_user.gid) < 0) ++#endif + sys_error (_("cannot set gid to %d: effective gid %d"), current_user.gid, current_user.egid); + + current_user.euid = current_user.uid; +diff --git a/tests/glob.tests b/tests/glob.tests +index 01913bb..fb012f7 100644 +--- a/tests/glob.tests ++++ b/tests/glob.tests +@@ -12,6 +12,8 @@ ${THIS_SH} ./glob1.sub + ${THIS_SH} ./glob2.sub + ${THIS_SH} ./glob3.sub + ${THIS_SH} ./glob4.sub ++${THIS_SH} ./glob6.sub ++${THIS_SH} ./glob7.sub + + MYDIR=$PWD # save where we are + +diff --git a/tests/glob6.sub b/tests/glob6.sub +new file mode 100644 +index 0000000..b099811 +--- /dev/null ++++ b/tests/glob6.sub +@@ -0,0 +1,54 @@ ++# tests of the backslash-in-glob-patterns discussion on the austin-group ML ++ ++: ${TMPDIR:=/var/tmp} ++ ++ORIG=$PWD ++GLOBDIR=$TMPDIR/bash-glob-$$ ++mkdir $GLOBDIR && cd $GLOBDIR ++ ++# does the pattern matcher allow backslashes as escape characters and remove ++# them as part of matching? ++touch abcdefg ++pat='ab\cd*' ++printf '<%s>\n' $pat ++pat='\.' ++printf '<%s>\n' $pat ++rm abcdefg ++ ++# how about when escaping pattern characters? ++touch '*abc.c' ++a='\**.c' ++printf '%s\n' $a ++rm -f '*abc.c' ++ ++# how about when making the distinction between readable and searchable path ++# components? ++mkdir -m a=x searchable ++mkdir -m a=r readable ++ ++p='searchable/\.' ++printf "%s\n" $p ++ ++p='searchable/\./.' ++printf "%s\n" $p ++ ++p='readable/\.' ++printf "%s\n" $p ++ ++p='readable/\./.' ++printf "%s\n" $p ++ ++printf "%s\n" 'searchable/\.' ++printf "%s\n" 'readable/\.' ++ ++echo */. ++ ++p='*/\.' ++echo $p ++ ++echo */'.' ++ ++rmdir searchable readable ++ ++cd $ORIG ++rmdir $GLOBDIR +diff --git a/tests/glob7.sub b/tests/glob7.sub +new file mode 100644 +index 0000000..0212b8e +--- /dev/null ++++ b/tests/glob7.sub +@@ -0,0 +1,11 @@ ++# according to Posix 2.13.3, a slash in a bracket expression renders that ++# bracket expression invalid ++shopt -s nullglob ++ ++echo 1: [qwe/qwe] ++echo 2: [qwe/ ++echo 3: [qwe/] ++ ++echo 4: [qwe\/qwe] ++echo 5: [qwe\/ ++echo 6: [qwe\/] +-- +1.9.1 + diff --git a/poky/meta/recipes-extended/bash/bash_5.0.bb b/poky/meta/recipes-extended/bash/bash_5.0.bb index 8ff9e6eda..257a03bd8 100644 --- a/poky/meta/recipes-extended/bash/bash_5.0.bb +++ b/poky/meta/recipes-extended/bash/bash_5.0.bb @@ -21,6 +21,8 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \ ${GNU_MIRROR}/bash/bash-${PV}-patches/bash50-014;apply=yes;striplevel=0;name=patch014 \ ${GNU_MIRROR}/bash/bash-${PV}-patches/bash50-015;apply=yes;striplevel=0;name=patch015 \ ${GNU_MIRROR}/bash/bash-${PV}-patches/bash50-016;apply=yes;striplevel=0;name=patch016 \ + ${GNU_MIRROR}/bash/bash-${PV}-patches/bash50-017;apply=yes;striplevel=0;name=patch017 \ + ${GNU_MIRROR}/bash/bash-${PV}-patches/bash50-018;apply=yes;striplevel=0;name=patch018 \ file://execute_cmd.patch \ file://mkbuiltins_have_stringize.patch \ file://build-tests.patch \ @@ -28,6 +30,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \ file://run-ptest \ file://run-bash-ptests \ file://fix-run-builtins.patch \ + file://bash-CVE-2019-18276.patch \ " SRC_URI[tarball.md5sum] = "2b44b47b905be16f45709648f671820b" @@ -65,6 +68,11 @@ SRC_URI[patch015.md5sum] = "c4c6ea23d09a74eaa9385438e48fdf02" SRC_URI[patch015.sha256sum] = "a517df2dda93b26d5cbf00effefea93e3a4ccd6652f152f4109170544ebfa05e" SRC_URI[patch016.md5sum] = "a682ed6fa2c2e7a7c3ba6bdeada07fb5" SRC_URI[patch016.sha256sum] = "ffd1d7a54a99fa7f5b1825e4f7e95d8c8876bc2ca151f150e751d429c650b06d" +SRC_URI[patch017.md5sum] = "d9dcaa1d8e7a24850449a1aac43a12a9" +SRC_URI[patch017.sha256sum] = "4cf3b9fafb8a66d411dd5fc9120032533a4012df1dc6ee024c7833373e2ddc31" +SRC_URI[patch018.md5sum] = "a64d950d5de72ae590455b13e6afefcb" +SRC_URI[patch018.sha256sum] = "7c314e375a105a6642e8ed44f3808b9def89d15f7492fe2029a21ba9c0de81d3" + DEBUG_OPTIMIZATION_append_armv4 = " ${@bb.utils.contains('TUNE_CCARGS', '-mthumb', '-fomit-frame-pointer', '', d)}" DEBUG_OPTIMIZATION_append_armv5 = " ${@bb.utils.contains('TUNE_CCARGS', '-mthumb', '-fomit-frame-pointer', '', d)}" |