bash: Fix CVE-2019-18276

bash: Fix CVE-2019-18276

[Phil Reid]

Hi All,

I recently started get the following failure with bash after "b348e31c93f0 bash: Fix CVE-2019-18276"
was applied to zeus.

Any thoughts?


NOTE: Applying patch 'bash50-001' (downloads/bash50-001)
NOTE: Applying patch 'bash50-002' (downloads/bash50-002)
NOTE: Applying patch 'bash50-003' (downloads/bash50-003)
NOTE: Applying patch 'bash50-004' (downloads/bash50-004)
NOTE: Applying patch 'bash50-005' (downloads/bash50-005)
NOTE: Applying patch 'bash50-006' (downloads/bash50-006)
NOTE: Applying patch 'bash50-007' (downloads/bash50-007)
NOTE: Applying patch 'execute_cmd.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/execute_cmd.patch)
NOTE: Applying patch 'mkbuiltins_have_stringize.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/mkbuiltins_have_stringize.patch)
NOTE: Applying patch 'build-tests.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/build-tests.patch)
NOTE: Applying patch 'test-output.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/test-output.patch)
NOTE: Applying patch 'fix-run-builtins.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/fix-run-builtins.patch)
NOTE: Applying patch 'bash-CVE-2019-18276.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch)
ERROR: Command Error: 'quilt --quiltrc 
/home/preid/dev/linux/v2019.11/tmp-glibc/work/cortexa9t2hf-neon-emit-linux-gnueabi/bash/5.0-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0  Output:
Applying patch bash-CVE-2019-18276.patch
patching file MANIFEST
patching file bashline.c
patching file builtins/help.def
patching file config.h.in
patching file configure
Hunk #1 FAILED at 10281.
1 out of 1 hunk FAILED -- rejects in file configure
patching file configure.ac
patching file doc/bash.1
patching file doc/bashref.texi
patching file lib/glob/glob.c
patching file pathexp.c
patching file shell.c
patching file tests/glob.tests
patching file tests/glob6.sub
patching file tests/glob7.sub
Patch bash-CVE-2019-18276.patch does not apply (enforce with -f)
DEBUG: Python function patch_do_patch finished
DEBUG: Python function do_patch finished

-- 
Regards
Phil Reid

ElectroMagnetic Imaging Technology Pty Ltd
Development of Geophysical Instrumentation & Software
www.electromag.com.au

3 The Avenue, Midland WA 6056, AUSTRALIA
Ph: +61 8 9250 8100
Fax: +61 8 9250 7100
Email: preid@electromag.com.au

Re: bash: Fix CVE-2019-18276

[Andrey Zhizhikin]

On Mon, Feb 17, 2020 at 4:26 AM Phil Reid <preid@electromag.com.au> wrote:
>
> Hi All,
>
> I recently started get the following failure with bash after "b348e31c93f0 bash: Fix CVE-2019-18276"
> was applied to zeus.
>
> Any thoughts?
>
>
> NOTE: Applying patch 'bash50-001' (downloads/bash50-001)
> NOTE: Applying patch 'bash50-002' (downloads/bash50-002)
> NOTE: Applying patch 'bash50-003' (downloads/bash50-003)
> NOTE: Applying patch 'bash50-004' (downloads/bash50-004)
> NOTE: Applying patch 'bash50-005' (downloads/bash50-005)
> NOTE: Applying patch 'bash50-006' (downloads/bash50-006)
> NOTE: Applying patch 'bash50-007' (downloads/bash50-007)
> NOTE: Applying patch 'execute_cmd.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/execute_cmd.patch)
> NOTE: Applying patch 'mkbuiltins_have_stringize.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/mkbuiltins_have_stringize.patch)
> NOTE: Applying patch 'build-tests.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/build-tests.patch)
> NOTE: Applying patch 'test-output.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/test-output.patch)
> NOTE: Applying patch 'fix-run-builtins.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/fix-run-builtins.patch)
> NOTE: Applying patch 'bash-CVE-2019-18276.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch)
> ERROR: Command Error: 'quilt --quiltrc
> /home/preid/dev/linux/v2019.11/tmp-glibc/work/cortexa9t2hf-neon-emit-linux-gnueabi/bash/5.0-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0  Output:
> Applying patch bash-CVE-2019-18276.patch
> patching file MANIFEST
> patching file bashline.c
> patching file builtins/help.def
> patching file config.h.in
> patching file configure
> Hunk #1 FAILED at 10281.
> 1 out of 1 hunk FAILED -- rejects in file configure
> patching file configure.ac
> patching file doc/bash.1
> patching file doc/bashref.texi
> patching file lib/glob/glob.c
> patching file pathexp.c
> patching file shell.c
> patching file tests/glob.tests
> patching file tests/glob6.sub
> patching file tests/glob7.sub
> Patch bash-CVE-2019-18276.patch does not apply (enforce with -f)
> DEBUG: Python function patch_do_patch finished
> DEBUG: Python function do_patch finished

Had the same issue the day before, re-building bash clean solved it.
At first I wanted to report it as well, but then after I tried "-c
cleanall" - the issue was gone.

Try to do a clean build of bash and see if it is still reproducible.

>
> --
> Regards
> Phil Reid
>
> ElectroMagnetic Imaging Technology Pty Ltd
> Development of Geophysical Instrumentation & Software
> www.electromag.com.au
>
> 3 The Avenue, Midland WA 6056, AUSTRALIA
> Ph: +61 8 9250 8100
> Fax: +61 8 9250 7100
> Email: preid@electromag.com.au
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core



-- 
Regards,
Andrey.

Re: bash: Fix CVE-2019-18276

[Richard Purdie]

On Mon, 2020-02-17 at 07:44 +0100, Andrey Zhizhikin wrote:
> On Mon, Feb 17, 2020 at 4:26 AM Phil Reid <preid@electromag.com.au>
> wrote:
> > Hi All,
> > 
> > I recently started get the following failure with bash after
> > "b348e31c93f0 bash: Fix CVE-2019-18276"
> > was applied to zeus.
> > 
> > Any thoughts?
> > 
> > 
> > NOTE: Applying patch 'bash50-001' (downloads/bash50-001)
> > NOTE: Applying patch 'bash50-002' (downloads/bash50-002)
> > NOTE: Applying patch 'bash50-003' (downloads/bash50-003)
> > NOTE: Applying patch 'bash50-004' (downloads/bash50-004)
> > NOTE: Applying patch 'bash50-005' (downloads/bash50-005)
> > NOTE: Applying patch 'bash50-006' (downloads/bash50-006)
> > NOTE: Applying patch 'bash50-007' (downloads/bash50-007)
> > NOTE: Applying patch 'execute_cmd.patch' (layers/openembedded-
> > core/meta/recipes-extended/bash/bash/execute_cmd.patch)
> > NOTE: Applying patch 'mkbuiltins_have_stringize.patch'
> > (layers/openembedded-core/meta/recipes-
> > extended/bash/bash/mkbuiltins_have_stringize.patch)
> > NOTE: Applying patch 'build-tests.patch' (layers/openembedded-
> > core/meta/recipes-extended/bash/bash/build-tests.patch)
> > NOTE: Applying patch 'test-output.patch' (layers/openembedded-
> > core/meta/recipes-extended/bash/bash/test-output.patch)
> > NOTE: Applying patch 'fix-run-builtins.patch' (layers/openembedded-
> > core/meta/recipes-extended/bash/bash/fix-run-builtins.patch)
> > NOTE: Applying patch 'bash-CVE-2019-18276.patch'
> > (layers/openembedded-core/meta/recipes-extended/bash/bash/bash-CVE-
> > 2019-18276.patch)
> > ERROR: Command Error: 'quilt --quiltrc
> > /home/preid/dev/linux/v2019.11/tmp-glibc/work/cortexa9t2hf-neon-
> > emit-linux-gnueabi/bash/5.0-r0/recipe-sysroot-native/etc/quiltrc
> > push' exited with 0  Output:
> > Applying patch bash-CVE-2019-18276.patch
> > patching file MANIFEST
> > patching file bashline.c
> > patching file builtins/help.def
> > patching file config.h.in
> > patching file configure
> > Hunk #1 FAILED at 10281.
> > 1 out of 1 hunk FAILED -- rejects in file configure
> > patching file configure.ac
> > patching file doc/bash.1
> > patching file doc/bashref.texi
> > patching file lib/glob/glob.c
> > patching file pathexp.c
> > patching file shell.c
> > patching file tests/glob.tests
> > patching file tests/glob6.sub
> > patching file tests/glob7.sub
> > Patch bash-CVE-2019-18276.patch does not apply (enforce with -f)
> > DEBUG: Python function patch_do_patch finished
> > DEBUG: Python function do_patch finished
> 
> Had the same issue the day before, re-building bash clean solved it.
> At first I wanted to report it as well, but then after I tried "-c
> cleanall" - the issue was gone.
> 
> Try to do a clean build of bash and see if it is still reproducible.

I think I understand what happens here. When you do a rebuild, bitbake
tries to pop off all the old patches, then apply the new ones.

In this case its patching configure which we rebuild. It therefore
can't apply the new patch to configure since its changed by the
do_configure task.

The fix is to remove the configure change from the patch since we just
need the configure.ac piece.

Cheers,

Richard

Re: bash: Fix CVE-2019-18276

[Phil Reid]

On 17/02/2020 17:55, Richard Purdie wrote:
> On Mon, 2020-02-17 at 07:44 +0100, Andrey Zhizhikin wrote:
>> On Mon, Feb 17, 2020 at 4:26 AM Phil Reid <preid@electromag.com.au>
>> wrote:
>>> Hi All,
>>>
>>> I recently started get the following failure with bash after
>>> "b348e31c93f0 bash: Fix CVE-2019-18276"
>>> was applied to zeus.
>>>
>>> Any thoughts?
>>>
>>>
>>> NOTE: Applying patch 'bash50-001' (downloads/bash50-001)
>>> NOTE: Applying patch 'bash50-002' (downloads/bash50-002)
>>> NOTE: Applying patch 'bash50-003' (downloads/bash50-003)
>>> NOTE: Applying patch 'bash50-004' (downloads/bash50-004)
>>> NOTE: Applying patch 'bash50-005' (downloads/bash50-005)
>>> NOTE: Applying patch 'bash50-006' (downloads/bash50-006)
>>> NOTE: Applying patch 'bash50-007' (downloads/bash50-007)
>>> NOTE: Applying patch 'execute_cmd.patch' (layers/openembedded-
>>> core/meta/recipes-extended/bash/bash/execute_cmd.patch)
>>> NOTE: Applying patch 'mkbuiltins_have_stringize.patch'
>>> (layers/openembedded-core/meta/recipes-
>>> extended/bash/bash/mkbuiltins_have_stringize.patch)
>>> NOTE: Applying patch 'build-tests.patch' (layers/openembedded-
>>> core/meta/recipes-extended/bash/bash/build-tests.patch)
>>> NOTE: Applying patch 'test-output.patch' (layers/openembedded-
>>> core/meta/recipes-extended/bash/bash/test-output.patch)
>>> NOTE: Applying patch 'fix-run-builtins.patch' (layers/openembedded-
>>> core/meta/recipes-extended/bash/bash/fix-run-builtins.patch)
>>> NOTE: Applying patch 'bash-CVE-2019-18276.patch'
>>> (layers/openembedded-core/meta/recipes-extended/bash/bash/bash-CVE-
>>> 2019-18276.patch)
>>> ERROR: Command Error: 'quilt --quiltrc
>>> /home/preid/dev/linux/v2019.11/tmp-glibc/work/cortexa9t2hf-neon-
>>> emit-linux-gnueabi/bash/5.0-r0/recipe-sysroot-native/etc/quiltrc
>>> push' exited with 0  Output:
>>> Applying patch bash-CVE-2019-18276.patch
>>> patching file MANIFEST
>>> patching file bashline.c
>>> patching file builtins/help.def
>>> patching file config.h.in
>>> patching file configure
>>> Hunk #1 FAILED at 10281.
>>> 1 out of 1 hunk FAILED -- rejects in file configure
>>> patching file configure.ac
>>> patching file doc/bash.1
>>> patching file doc/bashref.texi
>>> patching file lib/glob/glob.c
>>> patching file pathexp.c
>>> patching file shell.c
>>> patching file tests/glob.tests
>>> patching file tests/glob6.sub
>>> patching file tests/glob7.sub
>>> Patch bash-CVE-2019-18276.patch does not apply (enforce with -f)
>>> DEBUG: Python function patch_do_patch finished
>>> DEBUG: Python function do_patch finished
>>
>> Had the same issue the day before, re-building bash clean solved it.
>> At first I wanted to report it as well, but then after I tried "-c
>> cleanall" - the issue was gone.
>>
>> Try to do a clean build of bash and see if it is still reproducible.
> 
> I think I understand what happens here. When you do a rebuild, bitbake
> tries to pop off all the old patches, then apply the new ones.
> 
> In this case its patching configure which we rebuild. It therefore
> can't apply the new patch to configure since its changed by the
> do_configure task.
> 
> The fix is to remove the configure change from the patch since we just
> need the configure.ac piece.
> 
I've run "bitbake -c cleanall bash" and the build has then succeeded.
I guess we wait and see if it pops up again when bash needs to be rebuilt.

I did try quickly hacking the patch and removing the configure patch section, but
the resulting configure looked different. So I went with the easy option above.

Thanks
Phil

Re: bash: Fix CVE-2019-18276

[Richard Purdie]

On Tue, 2020-02-18 at 14:41 +0800, Phil Reid wrote:
> On 17/02/2020 17:55, Richard Purdie wrote:
> > On Mon, 2020-02-17 at 07:44 +0100, Andrey Zhizhikin wrote:
> > > On Mon, Feb 17, 2020 at 4:26 AM Phil Reid <
> > > preid@electromag.com.au>
> > > wrote:
> > > > Hi All,
> > > > 
> > > > I recently started get the following failure with bash after
> > > > "b348e31c93f0 bash: Fix CVE-2019-18276"
> > > > was applied to zeus.
> > > > 
> > > > Any thoughts?
> > > > 
> > > > 
> > > > NOTE: Applying patch 'bash50-001' (downloads/bash50-001)
> > > > NOTE: Applying patch 'bash50-002' (downloads/bash50-002)
> > > > NOTE: Applying patch 'bash50-003' (downloads/bash50-003)
> > > > NOTE: Applying patch 'bash50-004' (downloads/bash50-004)
> > > > NOTE: Applying patch 'bash50-005' (downloads/bash50-005)
> > > > NOTE: Applying patch 'bash50-006' (downloads/bash50-006)
> > > > NOTE: Applying patch 'bash50-007' (downloads/bash50-007)
> > > > NOTE: Applying patch 'execute_cmd.patch' (layers/openembedded-
> > > > core/meta/recipes-extended/bash/bash/execute_cmd.patch)
> > > > NOTE: Applying patch 'mkbuiltins_have_stringize.patch'
> > > > (layers/openembedded-core/meta/recipes-
> > > > extended/bash/bash/mkbuiltins_have_stringize.patch)
> > > > NOTE: Applying patch 'build-tests.patch' (layers/openembedded-
> > > > core/meta/recipes-extended/bash/bash/build-tests.patch)
> > > > NOTE: Applying patch 'test-output.patch' (layers/openembedded-
> > > > core/meta/recipes-extended/bash/bash/test-output.patch)
> > > > NOTE: Applying patch 'fix-run-builtins.patch'
> > > > (layers/openembedded-
> > > > core/meta/recipes-extended/bash/bash/fix-run-builtins.patch)
> > > > NOTE: Applying patch 'bash-CVE-2019-18276.patch'
> > > > (layers/openembedded-core/meta/recipes-extended/bash/bash/bash-
> > > > CVE-
> > > > 2019-18276.patch)
> > > > ERROR: Command Error: 'quilt --quiltrc
> > > > /home/preid/dev/linux/v2019.11/tmp-glibc/work/cortexa9t2hf-
> > > > neon-
> > > > emit-linux-gnueabi/bash/5.0-r0/recipe-sysroot-
> > > > native/etc/quiltrc
> > > > push' exited with 0  Output:
> > > > Applying patch bash-CVE-2019-18276.patch
> > > > patching file MANIFEST
> > > > patching file bashline.c
> > > > patching file builtins/help.def
> > > > patching file config.h.in
> > > > patching file configure
> > > > Hunk #1 FAILED at 10281.
> > > > 1 out of 1 hunk FAILED -- rejects in file configure
> > > > patching file configure.ac
> > > > patching file doc/bash.1
> > > > patching file doc/bashref.texi
> > > > patching file lib/glob/glob.c
> > > > patching file pathexp.c
> > > > patching file shell.c
> > > > patching file tests/glob.tests
> > > > patching file tests/glob6.sub
> > > > patching file tests/glob7.sub
> > > > Patch bash-CVE-2019-18276.patch does not apply (enforce with
> > > > -f)
> > > > DEBUG: Python function patch_do_patch finished
> > > > DEBUG: Python function do_patch finished
> > > 
> > > Had the same issue the day before, re-building bash clean solved
> > > it.
> > > At first I wanted to report it as well, but then after I tried "-
> > > c
> > > cleanall" - the issue was gone.
> > > 
> > > Try to do a clean build of bash and see if it is still
> > > reproducible.
> > 
> > I think I understand what happens here. When you do a rebuild,
> > bitbake
> > tries to pop off all the old patches, then apply the new ones.
> > 
> > In this case its patching configure which we rebuild. It therefore
> > can't apply the new patch to configure since its changed by the
> > do_configure task.
> > 
> > The fix is to remove the configure change from the patch since we
> > just
> > need the configure.ac piece.
> > 
> I've run "bitbake -c cleanall bash" and the build has then succeeded.
> I guess we wait and see if it pops up again when bash needs to be
> rebuilt.
> 
> I did try quickly hacking the patch and removing the configure patch
> section, but the resulting configure looked different. So I went with
> the easy option above.

Reproducing should be as simple as:

bitbake bash -c configure
bitbake bash -c patch -f

Cheers,

Richard

Re: bash: Fix CVE-2019-18276

[Yu, Mingli]

Got it, thanks Anuj!

Thanks,
Mingli
________________________________________
From: openembedded-core-bounces@lists.openembedded.org [openembedded-core-bounces@lists.openembedded.org] on behalf of Mittal, Anuj [anuj.mittal@intel.com]
Sent: Wednesday, March 04, 2020 7:49 AM
To: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] bash: Fix CVE-2019-18276

On Tue, 2020-03-03 at 03:11 +0000, Yu, Mingli wrote:
> Hi Anuj,
>
> I agree the Backport status is not accurate as the patch doesn't go
> to master branch, but why do you say the patch is irrelevant to the
> CVE-2019-18276, could you help to provide more info?

I didn't say that the patch was irrelevant to the CVE. I had said that
not all the changes were relevant. I believe the glob changes in the
patch were irrelevant. Those changes also introduced a failure in bash
ptests.

Thanks,

Anuj
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: bash: Fix CVE-2019-18276

[Yu, Mingli]

Thanks Chet very much for your confirmation!

If the commit fixs the CVE-2019-18276, why is it merged to the master branch?

Thanks,
Mingli
________________________________________
From: Chet Ramey [chet.ramey@case.edu]
Sent: Tuesday, March 03, 2020 9:55 PM
To: Yu, Mingli; Mittal, Anuj; richard.purdie@linuxfoundation.org; openembedded-core@lists.openembedded.org; Huo, De; preid@electromag.com.au; akuster808@gmail.com
Cc: chet.ramey@case.edu
Subject: Re: [OE-core] bash: Fix CVE-2019-18276

On 3/2/20 10:11 PM, Yu, Mingli wrote:

> Does https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=951bdaad7a18cc0dc1036bba86b18b90874d39ff fix the issue reported in CVE-2019-18276? Could you help to provide some info here?

Yes, the changes from 6/27 fix the issue in the CVE.


--
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/

Re: bash: Fix CVE-2019-18276

[Mittal, Anuj]

On Tue, 2020-03-03 at 03:11 +0000, Yu, Mingli wrote:
> Hi Anuj,
> 
> I agree the Backport status is not accurate as the patch doesn't go
> to master branch, but why do you say the patch is irrelevant to the
> CVE-2019-18276, could you help to provide more info?

I didn't say that the patch was irrelevant to the CVE. I had said that
not all the changes were relevant. I believe the glob changes in the
patch were irrelevant. Those changes also introduced a failure in bash
ptests.

Thanks,

Anuj

Re: bash: Fix CVE-2019-18276

[Yu, Mingli]

Hi Anuj,

I agree the Backport status is not accurate as the patch doesn't go to master branch, but why do you say the patch is irrelevant to the CVE-2019-18276, could you help to provide more info?

Hi Chet,
Does https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=951bdaad7a18cc0dc1036bba86b18b90874d39ff fix the issue reported in CVE-2019-18276? Could you help to provide some info here?

Thanks,
Mingli
________________________________________
From: openembedded-core-bounces@lists.openembedded.org [openembedded-core-bounces@lists.openembedded.org] on behalf of Mittal, Anuj [anuj.mittal@intel.com]
Sent: Tuesday, February 18, 2020 11:43 PM
To: chet.ramey@case.edu; richard.purdie@linuxfoundation.org; openembedded-core@lists.openembedded.org; Huo, De; preid@electromag.com.au; akuster808@gmail.com
Subject: Re: [OE-core] bash: Fix CVE-2019-18276

On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote:
> On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote:
> > On 2/17/20 9:46 PM, Huo, De wrote:
> > >  I applied the patch to fix CVE defect CVE-2019-18276.
> >
> > That's not exactly an answer to the question of who produced the
> > patch.
> > If that patch is the one causing failures when it's applied,
> > doesn't it
> > make sense to go back to the person who produced it and ask them to
> > update it if necessary?
>
> Its likely a general CVE patch where both configure and configure.ac
> are patched. For OE, we can drop the configure part since we
> reautoconf
> the code. Its therefore the OE port of the patch which is likely at
> fault.
>
> Someone just needs to remove that section of the patch.

There are other issues with this patch which should also be fixed I
think. It has been marked as a Backport while it is not one. The patch
includes changes that are irrelevant to the CVE. And, it should have
gone to master first.


Thanks,

Anuj
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: bash: Fix CVE-2019-18276

[Richard Purdie]

On Wed, 2020-02-19 at 07:46 -0800, akuster808 wrote:
> 
> On 2/18/20 7:49 AM, Richard Purdie wrote:
> > On Tue, 2020-02-18 at 15:43 +0000, Mittal, Anuj wrote:
> > > On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote:
> > > > 
> > > > Someone just needs to remove that section of the patch.
> > > There are other issues with this patch which should also be fixed
> > > I
> > > think. It has been marked as a Backport while it is not one. The
> > > patch
> > > includes changes that are irrelevant to the CVE. And, it should
> > > have
> > > gone to master first.
> > I shall await guidance from you/Armin then.
> 
> We should revert the commit. Ill send a patch.

Anuj sent it, I've merged it to zeus. Open questions:

Should we ship 3.0.2 rc2?
Did this patch cause this regression:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=13795

Cheers,

Richard

Re: bash: Fix CVE-2019-18276

[akuster808]

On 2/18/20 7:49 AM, Richard Purdie wrote:
> On Tue, 2020-02-18 at 15:43 +0000, Mittal, Anuj wrote:
>> On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote:
>>> On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote:
>>>> On 2/17/20 9:46 PM, Huo, De wrote:
>>>>>  I applied the patch to fix CVE defect CVE-2019-18276.
>>>> That's not exactly an answer to the question of who produced the
>>>> patch.
>>>> If that patch is the one causing failures when it's applied,
>>>> doesn't it
>>>> make sense to go back to the person who produced it and ask them
>>>> to
>>>> update it if necessary?
>>> Its likely a general CVE patch where both configure and
>>> configure.ac
>>> are patched. For OE, we can drop the configure part since we
>>> reautoconf
>>> the code. Its therefore the OE port of the patch which is likely at
>>> fault.
>>>
>>> Someone just needs to remove that section of the patch.
>> There are other issues with this patch which should also be fixed I
>> think. It has been marked as a Backport while it is not one. The
>> patch
>> includes changes that are irrelevant to the CVE. And, it should have
>> gone to master first.
> I shall await guidance from you/Armin then.

We should revert the commit. Ill send a patch.

- Armin
>
> Cheers,
>
> Richard
>

Re: bash: Fix CVE-2019-18276

[dhuo]

Hi All,

Do you know how to reproduce this isse on my side?

Since we also provide this patch in our current WRLinux product.

Thanks in advance.

在 2020/2/18 23:28, Chet Ramey 写道:
> On 2/17/20 9:46 PM, Huo, De wrote:
>>   I applied the patch to fix CVE defect CVE-2019-18276.
> That's not exactly an answer to the question of who produced the patch.
> If that patch is the one causing failures when it's applied, doesn't it
> make sense to go back to the person who produced it and ask them to
> update it if necessary?
>

Re: bash: Fix CVE-2019-18276

[dhuo]

Hi Anuj,

Do you think there is irrelevant changes to the CVE in 
https://github.com/bminor/bash/commit/
951bdaad7a18cc0dc1036bba86b18b90874d39ff or in this pach?

Could you please specify what's the irrelevant part?

I ask this because we also use this patch in our product.

Thanks in advance.

在 2020/2/18 23:43, Mittal, Anuj 写道:
> On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote:
>> On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote:
>>> On 2/17/20 9:46 PM, Huo, De wrote:
>>>>   I applied the patch to fix CVE defect CVE-2019-18276.
>>> That's not exactly an answer to the question of who produced the
>>> patch.
>>> If that patch is the one causing failures when it's applied,
>>> doesn't it
>>> make sense to go back to the person who produced it and ask them to
>>> update it if necessary?
>> Its likely a general CVE patch where both configure and configure.ac
>> are patched. For OE, we can drop the configure part since we
>> reautoconf
>> the code. Its therefore the OE port of the patch which is likely at
>> fault.
>>
>> Someone just needs to remove that section of the patch.
> There are other issues with this patch which should also be fixed I
> think. It has been marked as a Backport while it is not one. The patch
> includes changes that are irrelevant to the CVE. And, it should have
> gone to master first.
>
> Thanks,
>
> Anuj

Re: bash: Fix CVE-2019-18276

[Richard Purdie]

On Tue, 2020-02-18 at 15:43 +0000, Mittal, Anuj wrote:
> On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote:
> > On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote:
> > > On 2/17/20 9:46 PM, Huo, De wrote:
> > > >  I applied the patch to fix CVE defect CVE-2019-18276.
> > > 
> > > That's not exactly an answer to the question of who produced the
> > > patch.
> > > If that patch is the one causing failures when it's applied,
> > > doesn't it
> > > make sense to go back to the person who produced it and ask them
> > > to
> > > update it if necessary?
> > 
> > Its likely a general CVE patch where both configure and
> > configure.ac
> > are patched. For OE, we can drop the configure part since we
> > reautoconf
> > the code. Its therefore the OE port of the patch which is likely at
> > fault.
> > 
> > Someone just needs to remove that section of the patch.
> 
> There are other issues with this patch which should also be fixed I
> think. It has been marked as a Backport while it is not one. The
> patch
> includes changes that are irrelevant to the CVE. And, it should have
> gone to master first.

I shall await guidance from you/Armin then.

Cheers,

Richard

Re: bash: Fix CVE-2019-18276

[Mittal, Anuj]

On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote:
> On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote:
> > On 2/17/20 9:46 PM, Huo, De wrote:
> > >  I applied the patch to fix CVE defect CVE-2019-18276.
> > 
> > That's not exactly an answer to the question of who produced the
> > patch.
> > If that patch is the one causing failures when it's applied,
> > doesn't it
> > make sense to go back to the person who produced it and ask them to
> > update it if necessary?
> 
> Its likely a general CVE patch where both configure and configure.ac
> are patched. For OE, we can drop the configure part since we
> reautoconf
> the code. Its therefore the OE port of the patch which is likely at
> fault.
> 
> Someone just needs to remove that section of the patch.

There are other issues with this patch which should also be fixed I
think. It has been marked as a Backport while it is not one. The patch
includes changes that are irrelevant to the CVE. And, it should have
gone to master first.

Thanks,

Anuj

Re: bash: Fix CVE-2019-18276

[Richard Purdie]

On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote:
> On 2/17/20 9:46 PM, Huo, De wrote:
> >  I applied the patch to fix CVE defect CVE-2019-18276.
> 
> That's not exactly an answer to the question of who produced the patch.
> If that patch is the one causing failures when it's applied, doesn't it
> make sense to go back to the person who produced it and ask them to
> update it if necessary?

Its likely a general CVE patch where both configure and configure.ac
are patched. For OE, we can drop the configure part since we reautoconf
the code. Its therefore the OE port of the patch which is likely at
fault.

Someone just needs to remove that section of the patch.

Cheers,

Richard

Re: bash: Fix CVE-2019-18276

[Huo, De]

 I applied the patch to fix CVE defect CVE-2019-18276.
Can I reproduce this failure on my side?
________________________________________
From: Chet Ramey [chet.ramey@case.edu]
Sent: Monday, February 17, 2020 10:24 PM
To: Phil Reid; Huo, De; akuster808@gmail.com; Richard Purdie; Patches and discussions about the oe-core layer
Cc: chet.ramey@case.edu
Subject: Re: bash: Fix CVE-2019-18276

On 2/16/20 9:56 PM, Phil Reid wrote:
> Hi All,
>
> I recently started get the following failure with bash after "b348e31c93f0
> bash: Fix CVE-2019-18276"
> was applied to zeus.
>
> Any thoughts?

What is the `Fix CVE-2019-18276' patch? Who supplied it?

--
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/