* [PATCH 1/2] curl: add a PACKAGECONFIG for librtmp
@ 2014-09-25 23:13 Ross Burton
2014-09-25 23:13 ` [PATCH 2/2] bash: fix CVE-2014-6271 Ross Burton
2014-09-26 6:55 ` [PATCH 1/2] curl: add a PACKAGECONFIG for librtmp Koen Kooi
0 siblings, 2 replies; 6+ messages in thread
From: Ross Burton @ 2014-09-25 23:13 UTC (permalink / raw)
To: openembedded-core
Otherwise this is a non-deterministic build dependency.
Signed-off-by: Ross Burton <ross.burton@intel.com>
---
meta/recipes-support/curl/curl_7.37.1.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-support/curl/curl_7.37.1.bb b/meta/recipes-support/curl/curl_7.37.1.bb
index 8bcd9ba..e2852e3 100644
--- a/meta/recipes-support/curl/curl_7.37.1.bb
+++ b/meta/recipes-support/curl/curl_7.37.1.bb
@@ -27,6 +27,7 @@ PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
PACKAGECONFIG[ssl] = "--with-ssl --with-random=/dev/urandom,--without-ssl,openssl"
PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls"
PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib"
+PACKAGECONFIG[rtmpdump] = "--with-librtmp,--without-librtmp,rtmpdump"
EXTRA_OECONF = "--without-libssh2 \
--without-libidn \
--
1.7.10.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/2] bash: fix CVE-2014-6271
2014-09-25 23:13 [PATCH 1/2] curl: add a PACKAGECONFIG for librtmp Ross Burton
@ 2014-09-25 23:13 ` Ross Burton
2014-09-26 6:55 ` [PATCH 1/2] curl: add a PACKAGECONFIG for librtmp Koen Kooi
1 sibling, 0 replies; 6+ messages in thread
From: Ross Burton @ 2014-09-25 23:13 UTC (permalink / raw)
To: openembedded-core
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
Signed-off-by: Ross Burton <ross.burton@intel.com>
---
.../bash/bash-3.2.48/cve-2014-6271.patch | 77 +++++++++++++
.../recipes-extended/bash/bash/cve-2014-6271.patch | 114 ++++++++++++++++++++
meta/recipes-extended/bash/bash_3.2.48.bb | 1 +
meta/recipes-extended/bash/bash_4.3.bb | 1 +
4 files changed, 193 insertions(+)
create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch
create mode 100644 meta/recipes-extended/bash/bash/cve-2014-6271.patch
diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch
new file mode 100644
index 0000000..7226ffb
--- /dev/null
+++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6271.patch
@@ -0,0 +1,77 @@
+Fix CVE-2014-6271, aka ShellShock.
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+*** ../bash-3.2.51/builtins/common.h 2006-03-06 09:38:44.000000000 -0500
+--- builtins/common.h 2014-09-16 19:08:02.000000000 -0400
+***************
+*** 34,37 ****
+--- 34,39 ----
+
+ /* Flags for describe_command, shared between type.def and command.def */
++ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
++ #define SEVAL_ONECMD 0x100 /* only allow a single command */
+ #define CDESC_ALL 0x001 /* type -a */
+ #define CDESC_SHORTDESC 0x002 /* command -V */
+*** ../bash-3.2.51/builtins/evalstring.c 2008-11-15 17:47:04.000000000 -0500
+--- builtins/evalstring.c 2014-09-16 19:08:02.000000000 -0400
+***************
+*** 235,238 ****
+--- 235,246 ----
+ struct fd_bitmap *bitmap;
+
++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
++ {
++ internal_warning ("%s: ignoring function definition attempt", from_file);
++ should_jump_to_top_level = 0;
++ last_result = last_command_exit_value = EX_BADUSAGE;
++ break;
++ }
++
+ bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+ begin_unwind_frame ("pe_dispose");
+***************
+*** 292,295 ****
+--- 300,306 ----
+ dispose_fd_bitmap (bitmap);
+ discard_unwind_frame ("pe_dispose");
++
++ if (flags & SEVAL_ONECMD)
++ break;
+ }
+ }
+*** ../bash-3.2.51/variables.c 2008-11-15 17:15:06.000000000 -0500
+--- variables.c 2014-09-16 19:10:39.000000000 -0400
+***************
+*** 319,328 ****
+ strcpy (temp_string + char_index + 1, string);
+
+! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+!
+! /* Ancient backwards compatibility. Old versions of bash exported
+! functions like name()=() {...} */
+! if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+! name[char_index - 2] = '\0';
+
+ if (temp_var = find_function (name))
+--- 319,326 ----
+ strcpy (temp_string + char_index + 1, string);
+
+! /* Don't import function names that are invalid identifiers from the
+! environment. */
+! if (legal_identifier (name))
+! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+
+ if (temp_var = find_function (name))
+***************
+*** 333,340 ****
+ else
+ report_error (_("error importing function definition for `%s'"), name);
+-
+- /* ( */
+- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+- name[char_index - 2] = '('; /* ) */
+ }
+ #if defined (ARRAY_VARS)
+--- 331,334 ----
diff --git a/meta/recipes-extended/bash/bash/cve-2014-6271.patch b/meta/recipes-extended/bash/bash/cve-2014-6271.patch
new file mode 100644
index 0000000..d33a5c8
--- /dev/null
+++ b/meta/recipes-extended/bash/bash/cve-2014-6271.patch
@@ -0,0 +1,114 @@
+Fix CVE-2014-6271, aka ShellShock. This is the upstream 4.3 patchlevel 25, minus the hunk to
+set the patch level.
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 4.3
+Patch-ID: bash43-025
+
+Bug-Reported-by: Stephane Chazelas <stephane.chazelas@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+Under certain circumstances, bash will execute user code while processing the
+environment for exported function definitions.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.3-patched/builtins/common.h 2013-07-08 16:54:47.000000000 -0400
+--- builtins/common.h 2014-09-12 14:25:47.000000000 -0400
+***************
+*** 34,37 ****
+--- 49,54 ----
+ #define SEVAL_PARSEONLY 0x020
+ #define SEVAL_NOLONGJMP 0x040
++ #define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
++ #define SEVAL_ONECMD 0x100 /* only allow a single command */
+
+ /* Flags for describe_command, shared between type.def and command.def */
+*** ../bash-4.3-patched/builtins/evalstring.c 2014-02-11 09:42:10.000000000 -0500
+--- builtins/evalstring.c 2014-09-14 14:15:13.000000000 -0400
+***************
+*** 309,312 ****
+--- 313,324 ----
+ struct fd_bitmap *bitmap;
+
++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
++ {
++ internal_warning ("%s: ignoring function definition attempt", from_file);
++ should_jump_to_top_level = 0;
++ last_result = last_command_exit_value = EX_BADUSAGE;
++ break;
++ }
++
+ bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+ begin_unwind_frame ("pe_dispose");
+***************
+*** 369,372 ****
+--- 381,387 ----
+ dispose_fd_bitmap (bitmap);
+ discard_unwind_frame ("pe_dispose");
++
++ if (flags & SEVAL_ONECMD)
++ break;
+ }
+ }
+*** ../bash-4.3-patched/variables.c 2014-05-15 08:26:50.000000000 -0400
+--- variables.c 2014-09-14 14:23:35.000000000 -0400
+***************
+*** 359,369 ****
+ strcpy (temp_string + char_index + 1, string);
+
+! if (posixly_correct == 0 || legal_identifier (name))
+! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+!
+! /* Ancient backwards compatibility. Old versions of bash exported
+! functions like name()=() {...} */
+! if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+! name[char_index - 2] = '\0';
+
+ if (temp_var = find_function (name))
+--- 364,372 ----
+ strcpy (temp_string + char_index + 1, string);
+
+! /* Don't import function names that are invalid identifiers from the
+! environment, though we still allow them to be defined as shell
+! variables. */
+! if (legal_identifier (name))
+! parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+
+ if (temp_var = find_function (name))
+***************
+*** 382,389 ****
+ report_error (_("error importing function definition for `%s'"), name);
+ }
+-
+- /* ( */
+- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+- name[char_index - 2] = '('; /* ) */
+ }
+ #if defined (ARRAY_VARS)
+--- 385,388 ----
+*** ../bash-4.3-patched/subst.c 2014-08-11 11:16:35.000000000 -0400
+--- subst.c 2014-09-12 15:31:04.000000000 -0400
+***************
+*** 8048,8052 ****
+ goto return0;
+ }
+! else if (var = find_variable_last_nameref (temp1))
+ {
+ temp = nameref_cell (var);
+--- 8118,8124 ----
+ goto return0;
+ }
+! else if (var && (invisible_p (var) || var_isset (var) == 0))
+! temp = (char *)NULL;
+! else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
+ {
+ temp = nameref_cell (var);
diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
index fe04b28..5849ed0 100644
--- a/meta/recipes-extended/bash/bash_3.2.48.bb
+++ b/meta/recipes-extended/bash/bash_3.2.48.bb
@@ -12,6 +12,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
file://mkbuiltins_have_stringize.patch \
file://build-tests.patch \
file://test-output.patch \
+ file://cve-2014-6271.patch;striplevel=0 \
file://run-ptest \
"
diff --git a/meta/recipes-extended/bash/bash_4.3.bb b/meta/recipes-extended/bash/bash_4.3.bb
index 25b7410..febaf33 100644
--- a/meta/recipes-extended/bash/bash_4.3.bb
+++ b/meta/recipes-extended/bash/bash_4.3.bb
@@ -9,6 +9,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
file://mkbuiltins_have_stringize.patch \
file://build-tests.patch \
file://test-output.patch \
+ file://cve-2014-6271.patch;striplevel=0 \
file://run-ptest \
"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] curl: add a PACKAGECONFIG for librtmp
2014-09-25 23:13 [PATCH 1/2] curl: add a PACKAGECONFIG for librtmp Ross Burton
2014-09-25 23:13 ` [PATCH 2/2] bash: fix CVE-2014-6271 Ross Burton
@ 2014-09-26 6:55 ` Koen Kooi
2014-09-26 8:48 ` Paul Eggleton
2014-09-26 9:43 ` Burton, Ross
1 sibling, 2 replies; 6+ messages in thread
From: Koen Kooi @ 2014-09-26 6:55 UTC (permalink / raw)
To: Ross Burton; +Cc: openembedded-core
Op 26 sep. 2014, om 01:13 heeft Ross Burton <ross.burton@intel.com> het volgende geschreven:
> Otherwise this is a non-deterministic build dependency.
>
> Signed-off-by: Ross Burton <ross.burton@intel.com>
> ---
> meta/recipes-support/curl/curl_7.37.1.bb | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/meta/recipes-support/curl/curl_7.37.1.bb b/meta/recipes-support/curl/curl_7.37.1.bb
> index 8bcd9ba..e2852e3 100644
> --- a/meta/recipes-support/curl/curl_7.37.1.bb
> +++ b/meta/recipes-support/curl/curl_7.37.1.bb
> @@ -27,6 +27,7 @@ PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
> PACKAGECONFIG[ssl] = "--with-ssl --with-random=/dev/urandom,--without-ssl,openssl"
> PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls"
> PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib"
> +PACKAGECONFIG[rtmpdump] = "--with-librtmp,--without-librtmp,rtmpdump"
Using librtmp has nasty legal consequences in various countries, is there a way to express that risk? Something analogous to the commercial license protection we have.
regards,
Koen
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] curl: add a PACKAGECONFIG for librtmp
2014-09-26 6:55 ` [PATCH 1/2] curl: add a PACKAGECONFIG for librtmp Koen Kooi
@ 2014-09-26 8:48 ` Paul Eggleton
2014-09-26 9:43 ` Burton, Ross
1 sibling, 0 replies; 6+ messages in thread
From: Paul Eggleton @ 2014-09-26 8:48 UTC (permalink / raw)
To: openembedded-core, Ross Burton; +Cc: Koen Kooi
On Friday 26 September 2014 08:55:03 Koen Kooi wrote:
> Op 26 sep. 2014, om 01:13 heeft Ross Burton <ross.burton@intel.com> het
> volgende geschreven:
> > Otherwise this is a non-deterministic build dependency.
> >
> > Signed-off-by: Ross Burton <ross.burton@intel.com>
> > ---
> > meta/recipes-support/curl/curl_7.37.1.bb | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/meta/recipes-support/curl/curl_7.37.1.bb
> > b/meta/recipes-support/curl/curl_7.37.1.bb index 8bcd9ba..e2852e3 100644
> > --- a/meta/recipes-support/curl/curl_7.37.1.bb
> > +++ b/meta/recipes-support/curl/curl_7.37.1.bb
> > @@ -27,6 +27,7 @@ PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
> > PACKAGECONFIG[ssl] = "--with-ssl
> > --with-random=/dev/urandom,--without-ssl,openssl" PACKAGECONFIG[gnutls] =
> > "--with-gnutls,--without-gnutls,gnutls"
> > PACKAGECONFIG[zlib] =
> > "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib"
> > +PACKAGECONFIG[rtmpdump] = "--with-librtmp,--without-librtmp,rtmpdump"
>
> Using librtmp has nasty legal consequences in various countries, is there a
> way to express that risk? Something analogous to the commercial license
> protection we have.
Maybe set LICENSE_FLAGS conditionally upon rtmpdump being in PACKAGECONFIG?
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] curl: add a PACKAGECONFIG for librtmp
2014-09-26 6:55 ` [PATCH 1/2] curl: add a PACKAGECONFIG for librtmp Koen Kooi
2014-09-26 8:48 ` Paul Eggleton
@ 2014-09-26 9:43 ` Burton, Ross
2014-09-26 9:48 ` Paul Eggleton
1 sibling, 1 reply; 6+ messages in thread
From: Burton, Ross @ 2014-09-26 9:43 UTC (permalink / raw)
To: Koen Kooi; +Cc: OE-core
On 26 September 2014 07:55, Koen Kooi <koen@dominion.thruhere.net> wrote:
> Using librtmp has nasty legal consequences in various countries, is there a way to express that risk? Something analogous to the commercial license protection we have.
Agreed, but wouldn't that be something done in the rtmpdump recipe?
Ross
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] curl: add a PACKAGECONFIG for librtmp
2014-09-26 9:43 ` Burton, Ross
@ 2014-09-26 9:48 ` Paul Eggleton
0 siblings, 0 replies; 6+ messages in thread
From: Paul Eggleton @ 2014-09-26 9:48 UTC (permalink / raw)
To: Burton, Ross; +Cc: Koen Kooi, openembedded-core
On Friday 26 September 2014 10:43:26 Burton, Ross wrote:
> On 26 September 2014 07:55, Koen Kooi <koen@dominion.thruhere.net> wrote:
> > Using librtmp has nasty legal consequences in various countries, is there
> > a way to express that risk? Something analogous to the commercial license
> > protection we have.
>
> Agreed, but wouldn't that be something done in the rtmpdump recipe?
Actually that would make more sense than what I suggested, yes.
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-09-26 9:48 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-09-25 23:13 [PATCH 1/2] curl: add a PACKAGECONFIG for librtmp Ross Burton
2014-09-25 23:13 ` [PATCH 2/2] bash: fix CVE-2014-6271 Ross Burton
2014-09-26 6:55 ` [PATCH 1/2] curl: add a PACKAGECONFIG for librtmp Koen Kooi
2014-09-26 8:48 ` Paul Eggleton
2014-09-26 9:43 ` Burton, Ross
2014-09-26 9:48 ` Paul Eggleton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.