bash: fix CVE-2014-7186 and CVE-2014-7187

Sync up with upstream gentoo, pulling in the final version of the patch for these issues. This is functionally equivalent to 4.2_p51 but upstream hasn't officially announced that version yet it seems.
2025-08-20 05:51:18 +02:00 · 2014-10-01 10:39:41 -07:00 · 2014-10-01 10:39:41 -07:00 · a87f75aa8d
commit a87f75aa8d
parent b8132ad96f
3 changed files with 143 additions and 62 deletions
--- a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-4.2_p50-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-4.2_p50-r1.ebuild
@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-shells/bash/bash-4.2_p50.ebuild,v 1.1 2014/09/28 16:52:30 polynomial-c Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-shells/bash/bash-4.2_p50-r1.ebuild,v 1.4 2014/10/01 16:41:27 pinkbyte Exp $

 EAPI="4"

@ -34,7 +34,7 @@ SRC_URI="mirror://gnu/bash/${MY_P}.tar.gz $(patches)"

 LICENSE="GPL-3"
 SLOT="0"
-KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd"
+KEYWORDS="alpha amd64 arm ~arm64 ~hppa ia64 ~m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd"
 IUSE="afs bashlogger examples mem-scramble +net nls plugins +readline vanilla"

 DEPEND=">=sys-libs/ncurses-5.2-r2
@ -84,6 +84,7 @@ src_prepare() {
 	if ! use vanilla ; then
 		epatch "${FILESDIR}"/${PN}-4.2-speed-up-read-N.patch
 	fi
+	epatch "${FILESDIR}"/${PN}-redir-stack-overflow.patch #523742

 	epatch_user
 }
--- a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/bash-4.2-049.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/bash-4.2-049.patch
@ -1,60 +0,0 @@
-			     BASH PATCH REPORT
-			     =================
-
-Bash-Release:	4.2
-Patch-ID:	bash42-049
-
-Bug-Reported-by:	Tavis Ormandy <taviso@cmpxchg8b.com>
-Bug-Reference-ID:
-Bug-Reference-URL:	http://twitter.com/taviso/statuses/514887394294652929
-
-Bug-Description:
-
-Under certain circumstances, bash can incorrectly save a lookahead character and
-return it on a subsequent call, even when reading a new line.
-
-Patch (apply with `patch -p0'):
-
-*** a/parse.y	2012-12-31 11:52:57.000000000 -0500
--- b/parse.y	2014-09-25 16:12:19.000000000 -0400
-***************
-*** 2851,2854 ****
--- 2851,2856 ----
-    word_desc_to_read = (WORD_DESC *)NULL;
-  
-+   eol_ungetc_lookahead = 0;
-+ 
-    current_token = '\n';		/* XXX */
-    last_read_token = '\n';
-*** a/y.tab.c	2012-12-31 11:53:10.000000000 -0500
--- b/y.tab.c	2014-09-25 20:23:25.000000000 -0400
-***************
-*** 5163,5166 ****
--- 5163,5168 ----
-    word_desc_to_read = (WORD_DESC *)NULL;
-  
-+   eol_ungetc_lookahead = 0;
-+ 
-    current_token = '\n';		/* XXX */
-    last_read_token = '\n';
-***************
-*** 8377,8379 ****
-  }
-  #endif /* HANDLE_MULTIBYTE */
- 
--- 8379,8380 ----
-*** a/patchlevel.h	Sat Jun 12 20:14:48 2010
--- b/patchlevel.h	Thu Feb 24 21:41:34 2011
-***************
-*** 26,30 ****
-     looks for to find the patch level (for the sccs version string). */
-  
-! #define PATCHLEVEL 48
-  
-  #endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
-     looks for to find the patch level (for the sccs version string). */
-  
-! #define PATCHLEVEL 49
-  
-  #endif /* _PATCHLEVEL_H_ */
--- a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/bash-redir-stack-overflow.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/bash-redir-stack-overflow.patch
@ -0,0 +1,140 @@
+*** ../bash-20140912/parse.y	2014-08-26 15:09:42.000000000 -0400
+--- parse.y	2014-09-25 19:16:40.000000000 -0400
+***************
+*** 169,172 ****
+--- 169,175 ----
+  static int reserved_word_acceptable __P((int));
+  static int yylex __P((void));
+ 
+ static void push_heredoc __P((REDIRECT *));
+ static char *mk_alexpansion __P((char *));
+  static int alias_expand_token __P((char *));
+  static int time_command_acceptable __P((void));
+***************
+*** 266,270 ****
+  /* Variables to manage the task of reading here documents, because we need to
+     defer the reading until after a complete command has been collected. */
+! static REDIRECT *redir_stack[10];
+  int need_here_doc;
+  
+--- 269,275 ----
+  /* Variables to manage the task of reading here documents, because we need to
+     defer the reading until after a complete command has been collected. */
+! #define HEREDOC_MAX 16
+! 
+! static REDIRECT *redir_stack[HEREDOC_MAX];
+  int need_here_doc;
+  
+***************
+*** 308,312 ****
+     index is decremented after a case, select, or for command is parsed. */
+  #define MAX_CASE_NEST	128
+! static int word_lineno[MAX_CASE_NEST];
+  static int word_top = -1;
+  
+--- 313,317 ----
+     index is decremented after a case, select, or for command is parsed. */
+  #define MAX_CASE_NEST	128
+! static int word_lineno[MAX_CASE_NEST+1];
+  static int word_top = -1;
+  
+***************
+*** 521,525 ****
+  			  redir.filename = $2;
+  			  $$ = make_redirection (source, r_reading_until, redir, 0);
+! 			  redir_stack[need_here_doc++] = $$;
+  			}
+  	|	NUMBER LESS_LESS WORD
+--- 526,530 ----
+  			  redir.filename = $2;
+  			  $$ = make_redirection (source, r_reading_until, redir, 0);
+! 			  push_heredoc ($$);
+  			}
+  	|	NUMBER LESS_LESS WORD
+***************
+*** 528,532 ****
+  			  redir.filename = $3;
+  			  $$ = make_redirection (source, r_reading_until, redir, 0);
+! 			  redir_stack[need_here_doc++] = $$;
+  			}
+  	|	REDIR_WORD LESS_LESS WORD
+--- 533,537 ----
+  			  redir.filename = $3;
+  			  $$ = make_redirection (source, r_reading_until, redir, 0);
+! 			  push_heredoc ($$);
+  			}
+  	|	REDIR_WORD LESS_LESS WORD
+***************
+*** 535,539 ****
+  			  redir.filename = $3;
+  			  $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
+! 			  redir_stack[need_here_doc++] = $$;
+  			}
+  	|	LESS_LESS_MINUS WORD
+--- 540,544 ----
+  			  redir.filename = $3;
+  			  $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
+! 			  push_heredoc ($$);
+  			}
+  	|	LESS_LESS_MINUS WORD
+***************
+*** 542,546 ****
+  			  redir.filename = $2;
+  			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+! 			  redir_stack[need_here_doc++] = $$;
+  			}
+  	|	NUMBER LESS_LESS_MINUS WORD
+--- 547,551 ----
+  			  redir.filename = $2;
+  			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+! 			  push_heredoc ($$);
+  			}
+  	|	NUMBER LESS_LESS_MINUS WORD
+***************
+*** 549,553 ****
+  			  redir.filename = $3;
+  			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+! 			  redir_stack[need_here_doc++] = $$;
+  			}
+  	|	REDIR_WORD  LESS_LESS_MINUS WORD
+--- 554,558 ----
+  			  redir.filename = $3;
+  			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
+! 			  push_heredoc ($$);
+  			}
+  	|	REDIR_WORD  LESS_LESS_MINUS WORD
+***************
+*** 556,560 ****
+  			  redir.filename = $3;
+  			  $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
+! 			  redir_stack[need_here_doc++] = $$;
+  			}
+  	|	LESS_LESS_LESS WORD
+--- 561,565 ----
+  			  redir.filename = $3;
+  			  $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
+! 			  push_heredoc ($$);
+  			}
+  	|	LESS_LESS_LESS WORD
+***************
+*** 2637,2640 ****
+--- 2642,2660 ----
+  static int esacs_needed_count;
+  
+ static void
+ push_heredoc (r)
+      REDIRECT *r;
+ {
+   if (need_here_doc >= HEREDOC_MAX)
+     {
+       last_command_exit_value = EX_BADUSAGE;
+       need_here_doc = 0;
+       report_syntax_error (_("maximum here-document count exceeded"));
+       reset_parser ();
+       exit_shell (last_command_exit_value);
+     }
+   redir_stack[need_here_doc++] = r;
+ }
+ 
+  void
+  gather_here_documents ()