bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bash-4.3 Official Patch 47


From: Chet Ramey
Subject: Bash-4.3 Official Patch 47
Date: Tue, 4 Oct 2016 21:12:42 -0400

                             BASH PATCH REPORT
                             =================

Bash-Release:   4.3
Patch-ID:       bash43-047

Bug-Reported-by:        Bernd Dietzel
Bug-Reference-ID:
Bug-Reference-URL:      
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025

Bug-Description:

Bash performs word expansions on the prompt strings after the special
escape sequences are expanded.  If a malicious user can modify the system
hostname or change the name of the bash executable and coerce a user into
executing it, and the new name contains word expansions (including
command substitution), bash will expand them in prompt strings containing
the \h or \H and \s escape sequences, respectively.

Patch (apply with `patch -p0'):

*** ../bash-4.3-patched/parse.y 2015-08-13 15:11:54.000000000 -0400
--- parse.y     2016-03-07 15:44:14.000000000 -0500
***************
*** 5259,5263 ****
    int result_size, result_index;
    int c, n, i;
!   char *temp, octal_string[4];
    struct tm *tm;  
    time_t the_time;
--- 5259,5263 ----
    int result_size, result_index;
    int c, n, i;
!   char *temp, *t_host, octal_string[4];
    struct tm *tm;  
    time_t the_time;
***************
*** 5407,5411 ****
            case 's':
              temp = base_pathname (shell_name);
!             temp = savestring (temp);
              goto add_string;
  
--- 5407,5415 ----
            case 's':
              temp = base_pathname (shell_name);
!             /* Try to quote anything the user can set in the file system */
!             if (promptvars || posixly_correct)
!               temp = sh_backslash_quote_for_double_quotes (temp);
!             else
!               temp = savestring (temp);
              goto add_string;
  
***************
*** 5497,5503 ****
            case 'h':
            case 'H':
!             temp = savestring (current_host_name);
!             if (c == 'h' && (t = (char *)strchr (temp, '.')))
                *t = '\0';
              goto add_string;
  
--- 5501,5515 ----
            case 'h':
            case 'H':
!             t_host = savestring (current_host_name);
!             if (c == 'h' && (t = (char *)strchr (t_host, '.')))
                *t = '\0';
+             if (promptvars || posixly_correct)
+               /* Make sure that expand_prompt_string is called with a
+                  second argument of Q_DOUBLE_QUOTES if we use this
+                  function here. */
+               temp = sh_backslash_quote_for_double_quotes (t_host);
+             else
+               temp = savestring (t_host);
+             free (t_host);
              goto add_string;
  
*** ../bash-4.3-patched/y.tab.c 2015-08-13 15:11:54.000000000 -0400
--- y.tab.c     2016-03-07 15:44:14.000000000 -0500
***************
*** 7571,7575 ****
    int result_size, result_index;
    int c, n, i;
!   char *temp, octal_string[4];
    struct tm *tm;  
    time_t the_time;
--- 7571,7575 ----
    int result_size, result_index;
    int c, n, i;
!   char *temp, *t_host, octal_string[4];
    struct tm *tm;  
    time_t the_time;
***************
*** 7719,7723 ****
            case 's':
              temp = base_pathname (shell_name);
!             temp = savestring (temp);
              goto add_string;
  
--- 7719,7727 ----
            case 's':
              temp = base_pathname (shell_name);
!             /* Try to quote anything the user can set in the file system */
!             if (promptvars || posixly_correct)
!               temp = sh_backslash_quote_for_double_quotes (temp);
!             else
!               temp = savestring (temp);
              goto add_string;
  
***************
*** 7809,7815 ****
            case 'h':
            case 'H':
!             temp = savestring (current_host_name);
!             if (c == 'h' && (t = (char *)strchr (temp, '.')))
                *t = '\0';
              goto add_string;
  
--- 7813,7827 ----
            case 'h':
            case 'H':
!             t_host = savestring (current_host_name);
!             if (c == 'h' && (t = (char *)strchr (t_host, '.')))
                *t = '\0';
+             if (promptvars || posixly_correct)
+               /* Make sure that expand_prompt_string is called with a
+                  second argument of Q_DOUBLE_QUOTES if we use this
+                  function here. */
+               temp = sh_backslash_quote_for_double_quotes (t_host);
+             else
+               temp = savestring (t_host);
+             free (t_host);
              goto add_string;
  
*** ../bash-4.3/patchlevel.h    2012-12-29 10:47:57.000000000 -0500
--- patchlevel.h        2014-03-20 20:01:28.000000000 -0400
***************
*** 26,30 ****
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 46
  
  #endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 47
  
  #endif /* _PATCHLEVEL_H_ */

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    address@hidden    http://cnswww.cns.cwru.edu/~chet/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]