[packages/bash] Another CVE-2014-6271 fix

jajcus jajcus at pld-linux.org
Fri Sep 26 10:18:50 CEST 2014


commit 46cf417a33541ed2d4c5f933cc7fe3fdd4164fda
Author: Jacek Konieczny <j.konieczny at eggsoft.pl>
Date:   Fri Sep 26 10:18:13 2014 +0200

    Another CVE-2014-6271 fix
    
    should help for some variants of the attack
    
    Release: 2

 bash-CVE-2014-6271.patch | 13 +++++++++++++
 bash.spec                |  4 +++-
 2 files changed, 16 insertions(+), 1 deletion(-)
---
diff --git a/bash.spec b/bash.spec
index 81d2dc6..983032d 100644
--- a/bash.spec
+++ b/bash.spec
@@ -7,7 +7,7 @@
 # NOTE: when updating patchleve, do not forget to update 'sources' file!
 %define		ver		4.3
 %define		patchlevel	25
-%define		rel		1
+%define		rel		2
 Summary:	GNU Bourne Again Shell (bash)
 Summary(fr.UTF-8):	Le shell Bourne Again de GNU
 Summary(pl.UTF-8):	Powłoka GNU Bourne Again Shell (bash)
@@ -36,6 +36,7 @@ Patch9:		%{name}-backup_history.patch
 Patch10:	%{name}-act_like_sh.patch
 Patch11:	%{name}-elinks_cont.patch
 Patch12:	%{name}-pl.po-update.patch
+Patch13:	%{name}-CVE-2014-6271.patch
 %patchset_source -f https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-%03g 1 %{patchlevel}
 URL:		http://www.gnu.org/software/bash/
 BuildRequires:	autoconf
@@ -194,6 +195,7 @@ tym pakiecie jest wersja basha skonsolidowana statycznie.
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
 
 sed -i -e 's#/usr/bin/printf#/bin/printf#g' tests/intl2.sub
 
diff --git a/bash-CVE-2014-6271.patch b/bash-CVE-2014-6271.patch
new file mode 100644
index 0000000..289ad9e
--- /dev/null
+++ b/bash-CVE-2014-6271.patch
@@ -0,0 +1,13 @@
+diff -dur bash-4.3.orig/parse.y bash-4.3/parse.y
+--- bash-4.3.orig/parse.y	2014-09-26 09:50:51.000000000 +0200
++++ bash-4.3/parse.y	2014-09-26 09:51:26.000000000 +0200
+@@ -2955,6 +2955,8 @@
+   FREE (word_desc_to_read);
+   word_desc_to_read = (WORD_DESC *)NULL;
+ 
++  eol_ungetc_lookahead = 0;
++
+   current_token = '\n';		/* XXX */
+   last_read_token = '\n';
+   token_to_read = '\n';
+Only in bash-4.3.orig: parse.y.orig
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/bash.git/commitdiff/46cf417a33541ed2d4c5f933cc7fe3fdd4164fda



More information about the pld-cvs-commit mailing list