From a87f75aa8d2078b3ab3fec6204ea675445912a87 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Wed, 1 Oct 2014 10:39:41 -0700
Subject: [PATCH] bash: fix CVE-2014-7186 and CVE-2014-7187

Sync up with upstream gentoo, pulling in the final version of the patch
for these issues. This is functionally equivalent to 4.2_p51 but
upstream hasn't officially announced that version yet it seems.
---
 ...-4.2_p50.ebuild => bash-4.2_p50-r1.ebuild} |   5 +-
 .../app-shells/bash/files/bash-4.2-049.patch  |  60 --------
 .../files/bash-redir-stack-overflow.patch     | 140 ++++++++++++++++++
 3 files changed, 143 insertions(+), 62 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/app-shells/bash/{bash-4.2_p50.ebuild => bash-4.2_p50-r1.ebuild} (95%)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/bash-4.2-049.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/bash-redir-stack-overflow.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-4.2_p50.ebuild b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-4.2_p50-r1.ebuild
similarity index 95%
rename from sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-4.2_p50.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-4.2_p50-r1.ebuild
index 7329df268b..6dd0eb1221 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-4.2_p50.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-4.2_p50-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-shells/bash/bash-4.2_p50.ebuild,v 1.1 2014/09/28 16:52:30 polynomial-c Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-shells/bash/bash-4.2_p50-r1.ebuild,v 1.4 2014/10/01 16:41:27 pinkbyte Exp $
 
 EAPI="4"
 
@@ -34,7 +34,7 @@ SRC_URI="mirror://gnu/bash/${MY_P}.tar.gz $(patches)"
 
 LICENSE="GPL-3"
 SLOT="0"
-KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd"
+KEYWORDS="alpha amd64 arm ~arm64 ~hppa ia64 ~m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd"
 IUSE="afs bashlogger examples mem-scramble +net nls plugins +readline vanilla"
 
 DEPEND=">=sys-libs/ncurses-5.2-r2
@@ -84,6 +84,7 @@ src_prepare() {
 	if ! use vanilla ; then
 		epatch "${FILESDIR}"/${PN}-4.2-speed-up-read-N.patch
 	fi
+	epatch "${FILESDIR}"/${PN}-redir-stack-overflow.patch #523742
 
 	epatch_user
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/bash-4.2-049.patch b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/bash-4.2-049.patch
deleted file mode 100644
index bbe714e633..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/bash-4.2-049.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-			     BASH PATCH REPORT
-			     =================
-
-Bash-Release:	4.2
-Patch-ID:	bash42-049
-
-Bug-Reported-by:	Tavis Ormandy <taviso@cmpxchg8b.com>
-Bug-Reference-ID:
-Bug-Reference-URL:	http://twitter.com/taviso/statuses/514887394294652929
-
-Bug-Description:
-
-Under certain circumstances, bash can incorrectly save a lookahead character and
-return it on a subsequent call, even when reading a new line.
-
-Patch (apply with `patch -p0'):
-
-*** a/parse.y	2012-12-31 11:52:57.000000000 -0500
---- b/parse.y	2014-09-25 16:12:19.000000000 -0400
-***************
-*** 2851,2854 ****
---- 2851,2856 ----
-    word_desc_to_read = (WORD_DESC *)NULL;
-  
-+   eol_ungetc_lookahead = 0;
-+ 
-    current_token = '\n';		/* XXX */
-    last_read_token = '\n';
-*** a/y.tab.c	2012-12-31 11:53:10.000000000 -0500
---- b/y.tab.c	2014-09-25 20:23:25.000000000 -0400
-***************
-*** 5163,5166 ****
---- 5163,5168 ----
-    word_desc_to_read = (WORD_DESC *)NULL;
-  
-+   eol_ungetc_lookahead = 0;
-+ 
-    current_token = '\n';		/* XXX */
-    last_read_token = '\n';
-***************
-*** 8377,8379 ****
-  }
-  #endif /* HANDLE_MULTIBYTE */
-- 
---- 8379,8380 ----
-*** a/patchlevel.h	Sat Jun 12 20:14:48 2010
---- b/patchlevel.h	Thu Feb 24 21:41:34 2011
-***************
-*** 26,30 ****
-     looks for to find the patch level (for the sccs version string). */
-  
-! #define PATCHLEVEL 48
-  
-  #endif /* _PATCHLEVEL_H_ */
---- 26,30 ----
-     looks for to find the patch level (for the sccs version string). */
-  
-! #define PATCHLEVEL 49
-  
-  #endif /* _PATCHLEVEL_H_ */
diff --git a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/bash-redir-stack-overflow.patch b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/bash-redir-stack-overflow.patch
new file mode 100644
index 0000000000..feba2cea57
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/bash-redir-stack-overflow.patch
@@ -0,0 +1,140 @@
+*** ../bash-20140912/parse.y	2014-08-26 15:09:42.000000000 -0400
+--- parse.y	2014-09-25 19:16:40.000000000 -0400
+***************
+*** 169,172 ****
+--- 169,175 ----
+  static int reserved_word_acceptable __P((int));
+  static int yylex __P((void));
++ 
++ static void push_heredoc __P((REDIRECT *));
++ static char *mk_alexpansion __P((char *));
+  static int alias_expand_token __P((char *));
+  static int time_command_acceptable __P((void));
+***************
+*** 266,270 ****
+  /* Variables to manage the task of reading here documents, because we need to
+     defer the reading until after a complete command has been collected. */
+! static REDIRECT *redir_stack[10];
+  int need_here_doc;
+  
+--- 269,275 ----
+  /* Variables to manage the task of reading here documents, because we need to
+     defer the reading until after a complete command has been collected. */
+! #define HEREDOC_MAX 16
+! 
+! static REDIRECT *redir_stack[HEREDOC_MAX];
+  int need_here_doc;
+  
+***************
+*** 308,312 ****
+     index is decremented after a case, select, or for command is parsed. */
+  #define MAX_CASE_NEST	128
+! static int word_lineno[MAX_CASE_NEST];
+  static int word_top = -1;
+  
+--- 313,317 ----
+     index is decremented after a case, select, or for command is parsed. */
+  #define MAX_CASE_NEST	128
+! static int word_lineno[MAX_CASE_NEST+1];
+  static int word_top = -1;
+  
+***************
+*** 521,525 ****
+  			  redir.filename = $2;
+  			  $$ = make_redirection (source, r_reading_until, redir, 0);
+! 			  redir_stack[need_here_doc++] = $$;
+  			}
+  	|	NUMBER LESS_LESS WORD
+--- 526,530 ----
+  			  redir.filename = $2;
+  			  $$ = make_redirection (source, r_reading_until, redir, 0);
+! 			  push_heredoc ($$);
+  			}
+  	|	NUMBER LESS_LESS WORD
+***************
+*** 528,532 ****
+  			  redir.filename = $3;
+  			  $$ = make_redirection (source, r_reading_until, redir, 0);
+! 			  redir_stack[need_here_doc++] = $$;
+  			}
+  	|	REDIR_WORD LESS_LESS WORD
+--- 533,537 ----
+  			  redir.filename = $3;
+  			  $$ = make_redirection (source, r_reading_until, redir, 0);
+! 			  push_heredoc ($$);
+  			}
+  	|	REDIR_WORD LESS_LESS WORD
+***************
+*** 535,539 ****
+  			  redir.filename = $3;
+  			  $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
+! 			  redir_stack[need_here_doc++] = $$;
+  			}
+  	|	LESS_LESS_MINUS WORD
+--- 540,544 ----
+  			  redir.filename = $3;
+  			  $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
+! 			  push_heredoc ($$);
+  			}
+  	|	LESS_LESS_MINUS WORD
+***************
+*** 542,546 ****
+  			  redir.filename = $2;
+  			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+! 			  redir_stack[need_here_doc++] = $$;
+  			}
+  	|	NUMBER LESS_LESS_MINUS WORD
+--- 547,551 ----
+  			  redir.filename = $2;
+  			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+! 			  push_heredoc ($$);
+  			}
+  	|	NUMBER LESS_LESS_MINUS WORD
+***************
+*** 549,553 ****
+  			  redir.filename = $3;
+  			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+! 			  redir_stack[need_here_doc++] = $$;
+  			}
+  	|	REDIR_WORD  LESS_LESS_MINUS WORD
+--- 554,558 ----
+  			  redir.filename = $3;
+  			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+! 			  push_heredoc ($$);
+  			}
+  	|	REDIR_WORD  LESS_LESS_MINUS WORD
+***************
+*** 556,560 ****
+  			  redir.filename = $3;
+  			  $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
+! 			  redir_stack[need_here_doc++] = $$;
+  			}
+  	|	LESS_LESS_LESS WORD
+--- 561,565 ----
+  			  redir.filename = $3;
+  			  $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
+! 			  push_heredoc ($$);
+  			}
+  	|	LESS_LESS_LESS WORD
+***************
+*** 2637,2640 ****
+--- 2642,2660 ----
+  static int esacs_needed_count;
+  
++ static void
++ push_heredoc (r)
++      REDIRECT *r;
++ {
++   if (need_here_doc >= HEREDOC_MAX)
++     {
++       last_command_exit_value = EX_BADUSAGE;
++       need_here_doc = 0;
++       report_syntax_error (_("maximum here-document count exceeded"));
++       reset_parser ();
++       exit_shell (last_command_exit_value);
++     }
++   redir_stack[need_here_doc++] = r;
++ }
++ 
+  void
+  gather_here_documents ()