svn commit: r369345 - in branches/2014Q3: . shells/bash shells/bash/files

Bryan Drewery bdrewery at FreeBSD.org
Fri Sep 26 21:10:27 UTC 2014 

Author: bdrewery
Date: Fri Sep 26 21:10:26 2014
New Revision: 369345
URL: http://svnweb.freebsd.org/changeset/ports/369345
QAT: https://qat.redports.org/buildarchive/r369345/

Log:
  MFH: r369341
  
  Disable function importing from the environment by default.  This can be
  enabled by using --import-functions or enabling the IMPORTFUNCTIONS option.
  
  This removes the risk of further parser bugs leading to code execution, as
  well as the risk to setuid scripts and poorly written applications that
  do not cleanse their environment [1][2].
  
  Also note that there is an unofficial 4.3.26 floating around that has not yet
  been officially released.  r369261 covers the change in 4.3.26.
  
  See also:
    http://seclists.org/oss-sec/2014/q3/747 [1]
    http://seclists.org/oss-sec/2014/q3/746 [2]
    http://seclists.org/oss-sec/2014/q3/755 [3]
  
  Obtained from:	NetBSD (based on) [3]
  PR:		193932
  Reviewed by:	Eric Vangyzen
  With hat:	portmgr

Added:
  branches/2014Q3/shells/bash/files/extrapatch-import-functions
     - copied unchanged from r369341, head/shells/bash/files/extrapatch-import-functions
Modified:
  branches/2014Q3/UPDATING
  branches/2014Q3/shells/bash/Makefile
Directory Properties:
  branches/2014Q3/   (props changed)

Modified: branches/2014Q3/UPDATING
==============================================================================
--- branches/2014Q3/UPDATING	Fri Sep 26 20:47:35 2014	(r369344)
+++ branches/2014Q3/UPDATING	Fri Sep 26 21:10:26 2014	(r369345)
@@ -5,6 +5,22 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.
 
+20140926:
+  AFFECTS: users of shells/bash
+  AUTHOR: bdrewery at FreeBSD.org
+
+  Bash supports a feature of exporting functions in the environment with
+  export -f.  Running bash with exported functioned in the environment will
+  then import those functions into the environment.  This resulted in
+  security issues CVE-2014-6271 and CVE-2014-7169, commonly known as
+  "shellshock".
+
+  To fully mitigate against this sort of attack we have applied a non-upstream
+  patch to disable this functionality by default.  You can execute bash
+  with --import-functions to allow it to import functions from the
+  environment.  The default can also be changed in the port by selecting the
+  IMPORTFUNCTIONS option.
+
 20140627:
   AFFECTS: Users of Java
   AUTHOR: swills at FreeBSD.org

Modified: branches/2014Q3/shells/bash/Makefile
==============================================================================
--- branches/2014Q3/shells/bash/Makefile	Fri Sep 26 20:47:35 2014	(r369344)
+++ branches/2014Q3/shells/bash/Makefile	Fri Sep 26 21:10:26 2014	(r369345)
@@ -4,7 +4,7 @@
 PORTNAME=		bash
 PATCHLEVEL=		25
 PORTVERSION=		4.3.${PATCHLEVEL:S/^0//g}
-PORTREVISION?=		1
+PORTREVISION?=		2
 CATEGORIES=		shells
 MASTER_SITES=		GNU
 MASTER_SITE_SUBDIR=	${PORTNAME}
@@ -25,10 +25,12 @@ COMMENT=		The GNU Project's Bourne Again
 LICENSE=		GPLv3
 
 OPTIONS_DEFINE=		IMPLICITCD COLONBREAKSWORDS HELP NLS STATIC SYSLOG DOCS
+OPTIONS_DEFINE+=	IMPORTFUNCTIONS
 OPTIONS_DEFAULT=	IMPLICITCD COLONBREAKSWORDS HELP NLS
 IMPLICITCD_DESC=	Use directory name alone to cd into it
 COLONBREAKSWORDS_DESC=	Colons break words
 HELP_DESC=		Enable builtin help
+IMPORTFUNCTIONS_DESC=	Import function from env without --import-functions
 
 USES=			bison cpe makeinfo
 OPTIONS_SUB=		yes
@@ -36,6 +38,8 @@ CPE_VENDOR=		gnu
 
 IMPLICITCD_EXTRA_PATCHES=	${PATCHDIR}/extrapatch-implicitcd
 COLONBREAKSWORDS_EXTRA_PATCHES=	${PATCHDIR}/extrapatch-colonbreakswords
+# Always apply this for now. The option will modify the default.
+EXTRA_PATCHES+=			${PATCHDIR}/extrapatch-import-functions
 
 HELP_CONFIGURE_ENABLE=	help-builtin
 NLS_CONFIGURE_ENABLE=	nls
@@ -54,6 +58,12 @@ CONFIGURE_ARGS+=	--without-bash-malloc \
 
 .include <bsd.port.options.mk>
 
+.if ${PORT_OPTIONS:MIMPORTFUNCTIONS}
+CFLAGS+=	-DIMPORT_FUNCTIONS_DEF=1
+.else
+CFLAGS+=	-DIMPORT_FUNCTIONS_DEF=0
+.endif
+
 .if ${PORT_OPTIONS:MSTATIC} || defined(NO_DYNAMICROOT) || (defined(NOSHARED) && ${NOSHARED:tl} != "no")
 CONFIGURE_ARGS+=	--enable-static-link
 PKGNAMESUFFIX=		-static

Copied: branches/2014Q3/shells/bash/files/extrapatch-import-functions (from r369341, head/shells/bash/files/extrapatch-import-functions)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2014Q3/shells/bash/files/extrapatch-import-functions	Fri Sep 26 21:10:26 2014	(r369345, copy of r369341, head/shells/bash/files/extrapatch-import-functions)
@@ -0,0 +1,43 @@
+Based on christos at NetBSD's patch
+
+--- shell.c.christos    2014-01-14 08:04:32.000000000 -0500
++++ shell.c     2014-09-25 16:11:51.000000000 -0400
+@@ -229,6 +229,7 @@
+ #else
+ int posixly_correct = 0;       /* Non-zero means posix.2 superset. */
+ #endif
++int import_functions = IMPORT_FUNCTIONS_DEF;      /* Import functions from environment */
+ 
+ /* Some long-winded argument names.  These are obviously new. */
+ #define Int 1
+@@ -248,6 +249,7 @@
+   { "help", Int, &want_initial_help, (char **)0x0 },
+   { "init-file", Charp, (int *)0x0, &bashrc_file },
+   { "login", Int, &make_login_shell, (char **)0x0 },
++  { "import-functions", Int, &import_functions, (char **)0x0 },
+   { "noediting", Int, &no_line_editing, (char **)0x0 },
+   { "noprofile", Int, &no_profile, (char **)0x0 },
+   { "norc", Int, &no_rc, (char **)0x0 },
+
+$NetBSD: patch-variables.c,v 1.1 2014/09/25 20:28:32 christos Exp $
+
+Only read functions from environment if flag is set.
+--- variables.c.christos        2014-09-25 16:09:41.000000000 -0400
++++ variables.c 2014-09-25 16:12:10.000000000 -0400
+@@ -105,6 +105,7 @@
+ extern int assigning_in_environment;
+ extern int executing_builtin;
+ extern int funcnest_max;
++extern int import_functions;
+ 
+ #if defined (READLINE)
+ extern int no_line_editing;
+@@ -349,7 +350,7 @@ initialize_shell_variables (env, privmod
+ 
+       /* If exported function, define it now.  Don't import functions from
+ 	 the environment in privileged mode. */
+-      if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
++      if (import_functions && privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
+ 	{
+ 	  string_length = strlen (string);
+ 	  temp_string = (char *)xmalloc (3 + string_length + char_index);

More information about the svn-ports-branches mailing list