svn commit: r369341 - in head: . shells/bash shells/bash/files
Bryan Drewery
bdrewery at FreeBSD.org
Fri Sep 26 20:33:24 UTC 2014
Author: bdrewery
Date: Fri Sep 26 20:33:23 2014
New Revision: 369341
URL: http://svnweb.freebsd.org/changeset/ports/369341
QAT: https://qat.redports.org/buildarchive/r369341/
Log:
Disable function importing from the environment by default. This can be
enabled by using --import-functions or enabling the IMPORTFUNCTIONS option.
This removes the risk of further parser bugs leading to code execution, as
well as the risk to setuid scripts and poorly written applications that
do not cleanse their environment [1][2].
Also note that there is an unofficial 4.3.26 floating around that has not yet
been officially released. r369261 covers the change in 4.3.26.
See also:
http://seclists.org/oss-sec/2014/q3/747 [1]
http://seclists.org/oss-sec/2014/q3/746 [2]
http://seclists.org/oss-sec/2014/q3/755 [3]
Obtained from: NetBSD (based on) [3]
PR: 193932
Reviewed by: Eric Vangyzen
With hat: portmgr
Added:
head/shells/bash/files/extrapatch-import-functions (contents, props changed)
Modified:
head/UPDATING
head/shells/bash/Makefile
Modified: head/UPDATING
==============================================================================
--- head/UPDATING Fri Sep 26 20:21:09 2014 (r369340)
+++ head/UPDATING Fri Sep 26 20:33:23 2014 (r369341)
@@ -6,6 +6,22 @@ You should get into the habit of checkin
you update your ports collection, before attempting any port upgrades.
20140926:
+ AFFECTS: users of shells/bash
+ AUTHOR: bdrewery at FreeBSD.org
+
+ Bash supports a feature of exporting functions in the environment with
+ export -f. Running bash with exported functioned in the environment will
+ then import those functions into the environment. This resulted in
+ security issues CVE-2014-6271 and CVE-2014-7169, commonly known as
+ "shellshock".
+
+ To fully mitigate against this sort of attack we have applied a non-upstream
+ patch to disable this functionality by default. You can execute bash
+ with --import-functions to allow it to import functions from the
+ environment. The default can also be changed in the port by selecting the
+ IMPORTFUNCTIONS option.
+
+20140926:
AFFECTS: users of net/asterisk and net/asterisk11
AUTHOR: madpilot at FreeBSD.org
Modified: head/shells/bash/Makefile
==============================================================================
--- head/shells/bash/Makefile Fri Sep 26 20:21:09 2014 (r369340)
+++ head/shells/bash/Makefile Fri Sep 26 20:33:23 2014 (r369341)
@@ -4,7 +4,7 @@
PORTNAME= bash
PATCHLEVEL= 25
PORTVERSION= 4.3.${PATCHLEVEL:S/^0//g}
-PORTREVISION?= 1
+PORTREVISION?= 2
CATEGORIES= shells
MASTER_SITES= GNU
MASTER_SITE_SUBDIR= ${PORTNAME}
@@ -25,10 +25,12 @@ COMMENT= The GNU Project's Bourne Again
LICENSE= GPLv3
OPTIONS_DEFINE= IMPLICITCD COLONBREAKSWORDS HELP NLS STATIC SYSLOG DOCS
+OPTIONS_DEFINE+= IMPORTFUNCTIONS
OPTIONS_DEFAULT= IMPLICITCD COLONBREAKSWORDS HELP NLS
IMPLICITCD_DESC= Use directory name alone to cd into it
COLONBREAKSWORDS_DESC= Colons break words
HELP_DESC= Enable builtin help
+IMPORTFUNCTIONS_DESC= Import function from env without --import-functions
USES= bison cpe makeinfo
OPTIONS_SUB= yes
@@ -36,6 +38,8 @@ CPE_VENDOR= gnu
IMPLICITCD_EXTRA_PATCHES= ${PATCHDIR}/extrapatch-implicitcd
COLONBREAKSWORDS_EXTRA_PATCHES= ${PATCHDIR}/extrapatch-colonbreakswords
+# Always apply this for now. The option will modify the default.
+EXTRA_PATCHES+= ${PATCHDIR}/extrapatch-import-functions
HELP_CONFIGURE_ENABLE= help-builtin
NLS_CONFIGURE_ENABLE= nls
@@ -54,6 +58,12 @@ CONFIGURE_ARGS+= --without-bash-malloc \
.include <bsd.port.options.mk>
+.if ${PORT_OPTIONS:MIMPORTFUNCTIONS}
+CFLAGS+= -DIMPORT_FUNCTIONS_DEF=1
+.else
+CFLAGS+= -DIMPORT_FUNCTIONS_DEF=0
+.endif
+
.if ${PORT_OPTIONS:MSTATIC} || defined(NO_DYNAMICROOT) || (defined(NOSHARED) && ${NOSHARED:tl} != "no")
CONFIGURE_ARGS+= --enable-static-link
PKGNAMESUFFIX= -static
Added: head/shells/bash/files/extrapatch-import-functions
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/shells/bash/files/extrapatch-import-functions Fri Sep 26 20:33:23 2014 (r369341)
@@ -0,0 +1,43 @@
+Based on christos at NetBSD's patch
+
+--- shell.c.christos 2014-01-14 08:04:32.000000000 -0500
++++ shell.c 2014-09-25 16:11:51.000000000 -0400
+@@ -229,6 +229,7 @@
+ #else
+ int posixly_correct = 0; /* Non-zero means posix.2 superset. */
+ #endif
++int import_functions = IMPORT_FUNCTIONS_DEF; /* Import functions from environment */
+
+ /* Some long-winded argument names. These are obviously new. */
+ #define Int 1
+@@ -248,6 +249,7 @@
+ { "help", Int, &want_initial_help, (char **)0x0 },
+ { "init-file", Charp, (int *)0x0, &bashrc_file },
+ { "login", Int, &make_login_shell, (char **)0x0 },
++ { "import-functions", Int, &import_functions, (char **)0x0 },
+ { "noediting", Int, &no_line_editing, (char **)0x0 },
+ { "noprofile", Int, &no_profile, (char **)0x0 },
+ { "norc", Int, &no_rc, (char **)0x0 },
+
+$NetBSD: patch-variables.c,v 1.1 2014/09/25 20:28:32 christos Exp $
+
+Only read functions from environment if flag is set.
+--- variables.c.christos 2014-09-25 16:09:41.000000000 -0400
++++ variables.c 2014-09-25 16:12:10.000000000 -0400
+@@ -105,6 +105,7 @@
+ extern int assigning_in_environment;
+ extern int executing_builtin;
+ extern int funcnest_max;
++extern int import_functions;
+
+ #if defined (READLINE)
+ extern int no_line_editing;
+@@ -349,7 +350,7 @@ initialize_shell_variables (env, privmod
+
+ /* If exported function, define it now. Don't import functions from
+ the environment in privileged mode. */
+- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
++ if (import_functions && privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
+ {
+ string_length = strlen (string);
+ temp_string = (char *)xmalloc (3 + string_length + char_index);
More information about the svn-ports-head
mailing list