1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-17 04:07:06 +00:00

7 Commits

Author SHA1 Message Date
Catalin Popeanga bda51ee782 bash: Fix-for-CVE-2014-6278
This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277

See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278

(From OE-Core rev: de596b5f31e837dcd2ce991245eb5548f12d72ae)

Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-10 18:06:09 +01:00
Catalin Popeanga 5dd12beccd bash: Fix for CVE-2014-6277
Follow up bash43-026 to parse properly function definitions in the values of environment variables, to not allow remote attackers to execute arbitrary code or to cause a denial of service.

See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277

(From OE-Core rev: 85961bcf81650992259cebb0ef1f1c6cdef3fefa)

Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-10 18:06:09 +01:00
Catalin Popeanga 1d21eaf4e0 bash: Fix for CVE-2014-7186 and CVE-2014-7187
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187

(From OE-Core rev: 153d1125659df9e5c09e35a58bd51be184cb13c1)

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-10 18:06:08 +01:00
Catalin Popeanga 95821e8566 bash: Fix for exported function namespace change
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment

This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function.

(From OE-Core rev: 6c51cc96d03df26d1c10867633e7a10dfbec7c45)

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-10 18:06:08 +01:00
Khem Raj 9fee4d138b bash: Fix CVE-2014-7169
This is a followup patch to incomplete CVE-2014-6271 fix
code execution via specially-crafted environment

Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
(From OE-Core rev: e358d20e8ccf1299e8a046e743a31e92546cd239)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-09-29 12:16:38 +01:00
Ross Burton 87e924e377 bash: fix CVE-2014-6271
CVE-2014-6271 aka ShellShock.

"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."

(From OE-Core rev: eb41d5d4eaee1c810f8e418704c110c2005d0197)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-09-29 12:16:38 +01:00
Hongxu Jia a163269725 bash: upgrade to 4.3
The bash-4.2-patches is obsolete.

(From OE-Core rev: 31eb09a888729fcfd17d02f2a47375e10e87f79a)

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-03-05 15:50:20 +00:00