1 |
commit: ba53be405112d10b85e88cc2637156804b88bd91 |
2 |
Author: Hank Leininger <hlein <AT> korelogic <DOT> com> |
3 |
AuthorDate: Wed Dec 11 22:06:45 2019 +0000 |
4 |
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Jan 7 00:48:45 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba53be40 |
7 |
|
8 |
app-shells/bash: fix CVE-2019-18276 (priv-dropping bug) |
9 |
|
10 |
Cherry-picked the relevant parts of |
11 |
https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=951bdaad7a18cc0dc1036bba86b18b90874d39ff |
12 |
and modified the patches to apply. |
13 |
|
14 |
Note that the existing bash-5.0*patch files are applied with -p0, which |
15 |
is not the norm for eapply, etc. I simply followed what was required |
16 |
to work with the rest of the existing patches. |
17 |
|
18 |
Signed-off-by: Hank Leininger <hlein <AT> korelogic.com> |
19 |
Bug: https://bugs.gentoo.org/702488 |
20 |
Package-Manager: Portage-2.3.81, Repoman-2.3.18 |
21 |
Closes: https://github.com/gentoo/gentoo/pull/13941 |
22 |
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org> |
23 |
|
24 |
app-shells/bash/bash-5.0_p11-r1.ebuild | 266 +++++++++++++++++++++ |
25 |
.../files/bash-5.0_p11-disable_priv_mode.patch | 85 +++++++ |
26 |
2 files changed, 351 insertions(+) |
27 |
|
28 |
diff --git a/app-shells/bash/bash-5.0_p11-r1.ebuild b/app-shells/bash/bash-5.0_p11-r1.ebuild |
29 |
new file mode 100644 |
30 |
index 00000000000..a6cf9c086ce |
31 |
--- /dev/null |
32 |
+++ b/app-shells/bash/bash-5.0_p11-r1.ebuild |
33 |
@@ -0,0 +1,266 @@ |
34 |
+# Copyright 1999-2019 Gentoo Authors |
35 |
+# Distributed under the terms of the GNU General Public License v2 |
36 |
+ |
37 |
+EAPI=7 |
38 |
+ |
39 |
+inherit flag-o-matic toolchain-funcs multilib prefix |
40 |
+ |
41 |
+# Official patchlevel |
42 |
+# See ftp://ftp.cwru.edu/pub/bash/bash-5.0-patches/ |
43 |
+PLEVEL=${PV##*_p} |
44 |
+MY_PV=${PV/_p*} |
45 |
+MY_PV=${MY_PV/_/-} |
46 |
+MY_P=${PN}-${MY_PV} |
47 |
+is_release() { |
48 |
+ case ${PV} in |
49 |
+ *_alpha*|*_beta*|*_rc*) return 1 ;; |
50 |
+ *) return 0 ;; |
51 |
+ esac |
52 |
+} |
53 |
+[[ ${PV} != *_p* ]] && PLEVEL=0 |
54 |
+patches() { |
55 |
+ local opt=$1 plevel=${2:-${PLEVEL}} pn=${3:-${PN}} pv=${4:-${MY_PV}} |
56 |
+ [[ ${plevel} -eq 0 ]] && return 1 |
57 |
+ eval set -- {1..${plevel}} |
58 |
+ set -- $(printf "${pn}${pv/\.}-%03d " "$@") |
59 |
+ if [[ ${opt} == -s ]] ; then |
60 |
+ echo "${@/#/${DISTDIR}/}" |
61 |
+ else |
62 |
+ local u |
63 |
+ for u in ftp://ftp.cwru.edu/pub/bash mirror://gnu/${pn} ; do |
64 |
+ printf "${u}/${pn}-${pv}-patches/%s " "$@" |
65 |
+ done |
66 |
+ fi |
67 |
+} |
68 |
+ |
69 |
+# The version of readline this bash normally ships with. |
70 |
+READLINE_VER="8.0" |
71 |
+ |
72 |
+DESCRIPTION="The standard GNU Bourne again shell" |
73 |
+HOMEPAGE="http://tiswww.case.edu/php/chet/bash/bashtop.html" |
74 |
+if is_release ; then |
75 |
+ SRC_URI="mirror://gnu/bash/${MY_P}.tar.gz $(patches)" |
76 |
+else |
77 |
+ SRC_URI="ftp://ftp.cwru.edu/pub/bash/${MY_P}.tar.gz" |
78 |
+fi |
79 |
+ |
80 |
+LICENSE="GPL-3" |
81 |
+SLOT="0" |
82 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
83 |
+IUSE="afs bashlogger examples mem-scramble +net nls plugins +readline" |
84 |
+ |
85 |
+DEPEND=" |
86 |
+ >=sys-libs/ncurses-5.2-r2:0= |
87 |
+ nls? ( virtual/libintl ) |
88 |
+ readline? ( >=sys-libs/readline-${READLINE_VER}:0= ) |
89 |
+" |
90 |
+RDEPEND=" |
91 |
+ ${DEPEND} |
92 |
+ !<sys-apps/portage-2.1.6.7_p1 |
93 |
+" |
94 |
+# we only need yacc when the .y files get patched (bash42-005) |
95 |
+#DEPEND+=" virtual/yacc" |
96 |
+ |
97 |
+S="${WORKDIR}/${MY_P}" |
98 |
+ |
99 |
+PATCHES=( |
100 |
+ # Patches from Chet sent to bashbug ml |
101 |
+ "${FILESDIR}"/${PN}-5.0-history-append.patch |
102 |
+ "${FILESDIR}"/${PN}-5.0-syslog-history-extern.patch |
103 |
+ # fix CVE-2019-18276 #702488 |
104 |
+ "${FILESDIR}"/${PN}-5.0_p11-disable_priv_mode.patch |
105 |
+) |
106 |
+ |
107 |
+pkg_setup() { |
108 |
+ if is-flag -malign-double ; then #7332 |
109 |
+ eerror "Detected bad CFLAGS '-malign-double'. Do not use this" |
110 |
+ eerror "as it breaks LFS (struct stat64) on x86." |
111 |
+ die "remove -malign-double from your CFLAGS mr ricer" |
112 |
+ fi |
113 |
+ if use bashlogger ; then |
114 |
+ ewarn "The logging patch should ONLY be used in restricted (i.e. honeypot) envs." |
115 |
+ ewarn "This will log ALL output you enter into the shell, you have been warned." |
116 |
+ fi |
117 |
+} |
118 |
+ |
119 |
+src_unpack() { |
120 |
+ unpack ${MY_P}.tar.gz |
121 |
+} |
122 |
+ |
123 |
+src_prepare() { |
124 |
+ # Include official patches |
125 |
+ [[ ${PLEVEL} -gt 0 ]] && eapply -p0 $(patches -s) |
126 |
+ |
127 |
+ # Clean out local libs so we know we use system ones w/releases. |
128 |
+ if is_release ; then |
129 |
+ rm -rf lib/{readline,termcap}/* |
130 |
+ touch lib/{readline,termcap}/Makefile.in # for config.status |
131 |
+ sed -ri -e 's:\$[(](RL|HIST)_LIBSRC[)]/[[:alpha:]]*.h::g' Makefile.in || die |
132 |
+ fi |
133 |
+ |
134 |
+ # Prefixify hardcoded path names. No-op for non-prefix. |
135 |
+ hprefixify pathnames.h.in |
136 |
+ |
137 |
+ # Avoid regenerating docs after patches #407985 |
138 |
+ sed -i -r '/^(HS|RL)USER/s:=.*:=:' doc/Makefile.in || die |
139 |
+ touch -r . doc/* |
140 |
+ |
141 |
+ eapply -p0 "${PATCHES[@]}" |
142 |
+ eapply_user |
143 |
+} |
144 |
+ |
145 |
+src_configure() { |
146 |
+ local myconf=( |
147 |
+ --disable-profiling |
148 |
+ --docdir='$(datarootdir)'/doc/${PF} |
149 |
+ --htmldir='$(docdir)/html' |
150 |
+ --with-curses |
151 |
+ $(use_enable mem-scramble) |
152 |
+ $(use_enable net net-redirections) |
153 |
+ $(use_enable readline) |
154 |
+ $(use_enable readline bang-history) |
155 |
+ $(use_enable readline history) |
156 |
+ $(use_with afs) |
157 |
+ $(use_with mem-scramble bash-malloc) |
158 |
+ ) |
159 |
+ |
160 |
+ # For descriptions of these, see config-top.h |
161 |
+ # bashrc/#26952 bash_logout/#90488 ssh/#24762 mktemp/#574426 |
162 |
+ append-cppflags \ |
163 |
+ -DDEFAULT_PATH_VALUE=\'\"${EPREFIX}/usr/local/sbin:${EPREFIX}/usr/local/bin:${EPREFIX}/usr/sbin:${EPREFIX}/usr/bin:${EPREFIX}/sbin:${EPREFIX}/bin\"\' \ |
164 |
+ -DSTANDARD_UTILS_PATH=\'\"${EPREFIX}/bin:${EPREFIX}/usr/bin:${EPREFIX}/sbin:${EPREFIX}/usr/sbin\"\' \ |
165 |
+ -DSYS_BASHRC=\'\"${EPREFIX}/etc/bash/bashrc\"\' \ |
166 |
+ -DSYS_BASH_LOGOUT=\'\"${EPREFIX}/etc/bash/bash_logout\"\' \ |
167 |
+ -DNON_INTERACTIVE_LOGIN_SHELLS \ |
168 |
+ -DSSH_SOURCE_BASHRC \ |
169 |
+ $(use bashlogger && echo -DSYSLOG_HISTORY) |
170 |
+ |
171 |
+ # Don't even think about building this statically without |
172 |
+ # reading Bug 7714 first. If you still build it statically, |
173 |
+ # don't come crying to us with bugs ;). |
174 |
+ #use static && export LDFLAGS="${LDFLAGS} -static" |
175 |
+ use nls || myconf+=( --disable-nls ) |
176 |
+ |
177 |
+ # Historically, we always used the builtin readline, but since |
178 |
+ # our handling of SONAME upgrades has gotten much more stable |
179 |
+ # in the PM (and the readline ebuild itself preserves the old |
180 |
+ # libs during upgrades), linking against the system copy should |
181 |
+ # be safe. |
182 |
+ # Exact cached version here doesn't really matter as long as it |
183 |
+ # is at least what's in the DEPEND up above. |
184 |
+ export ac_cv_rl_version=${READLINE_VER%%_*} |
185 |
+ |
186 |
+ # Force linking with system curses ... the bundled termcap lib |
187 |
+ # sucks bad compared to ncurses. For the most part, ncurses |
188 |
+ # is here because readline needs it. But bash itself calls |
189 |
+ # ncurses in one or two small places :(. |
190 |
+ |
191 |
+ if is_release ; then |
192 |
+ # Use system readline only with released versions. |
193 |
+ myconf+=( --with-installed-readline=. ) |
194 |
+ fi |
195 |
+ |
196 |
+ if use plugins; then |
197 |
+ append-ldflags -Wl,-rpath,/usr/$(get_libdir)/bash |
198 |
+ else |
199 |
+ # Disable the plugins logic by hand since bash doesn't |
200 |
+ # provide a way of doing it. |
201 |
+ export ac_cv_func_dl{close,open,sym}=no \ |
202 |
+ ac_cv_lib_dl_dlopen=no ac_cv_header_dlfcn_h=no |
203 |
+ sed -i \ |
204 |
+ -e '/LOCAL_LDFLAGS=/s:-rdynamic::' \ |
205 |
+ configure || die |
206 |
+ fi |
207 |
+ tc-export AR #444070 |
208 |
+ econf "${myconf[@]}" |
209 |
+} |
210 |
+ |
211 |
+src_compile() { |
212 |
+ emake |
213 |
+ |
214 |
+ if use plugins ; then |
215 |
+ emake -C examples/loadables all others |
216 |
+ fi |
217 |
+} |
218 |
+ |
219 |
+src_install() { |
220 |
+ local d f |
221 |
+ |
222 |
+ default |
223 |
+ |
224 |
+ dodir /bin |
225 |
+ mv "${ED}"/usr/bin/bash "${ED}"/bin/ || die |
226 |
+ dosym bash /bin/rbash |
227 |
+ |
228 |
+ insinto /etc/bash |
229 |
+ doins "${FILESDIR}"/bash_logout |
230 |
+ doins "$(prefixify_ro "${FILESDIR}"/bashrc)" |
231 |
+ keepdir /etc/bash/bashrc.d |
232 |
+ insinto /etc/skel |
233 |
+ for f in bash{_logout,_profile,rc} ; do |
234 |
+ newins "${FILESDIR}"/dot-${f} .${f} |
235 |
+ done |
236 |
+ |
237 |
+ local sed_args=( |
238 |
+ -e "s:#${USERLAND}#@::" |
239 |
+ -e '/#@/d' |
240 |
+ ) |
241 |
+ if ! use readline ; then |
242 |
+ sed_args+=( #432338 |
243 |
+ -e '/^shopt -s histappend/s:^:#:' |
244 |
+ -e 's:use_color=true:use_color=false:' |
245 |
+ ) |
246 |
+ fi |
247 |
+ sed -i \ |
248 |
+ "${sed_args[@]}" \ |
249 |
+ "${ED}"/etc/skel/.bashrc \ |
250 |
+ "${ED}"/etc/bash/bashrc || die |
251 |
+ |
252 |
+ if use plugins ; then |
253 |
+ exeinto /usr/$(get_libdir)/bash |
254 |
+ doexe $(echo examples/loadables/*.o | sed 's:\.o::g') |
255 |
+ insinto /usr/include/bash-plugins |
256 |
+ doins *.h builtins/*.h include/*.h lib/{glob/glob.h,tilde/tilde.h} |
257 |
+ fi |
258 |
+ |
259 |
+ if use examples ; then |
260 |
+ for d in examples/{functions,misc,scripts,startup-files} ; do |
261 |
+ exeinto /usr/share/doc/${PF}/${d} |
262 |
+ insinto /usr/share/doc/${PF}/${d} |
263 |
+ for f in ${d}/* ; do |
264 |
+ if [[ ${f##*/} != PERMISSION ]] && [[ ${f##*/} != *README ]] ; then |
265 |
+ doexe ${f} |
266 |
+ else |
267 |
+ doins ${f} |
268 |
+ fi |
269 |
+ done |
270 |
+ done |
271 |
+ fi |
272 |
+ |
273 |
+ doman doc/*.1 |
274 |
+ newdoc CWRU/changelog ChangeLog |
275 |
+ dosym bash.info /usr/share/info/bashref.info |
276 |
+} |
277 |
+ |
278 |
+pkg_preinst() { |
279 |
+ if [[ -e ${EROOT}/etc/bashrc ]] && [[ ! -d ${EROOT}/etc/bash ]] ; then |
280 |
+ mkdir -p "${EROOT}"/etc/bash |
281 |
+ mv -f "${EROOT}"/etc/bashrc "${EROOT}"/etc/bash/ |
282 |
+ fi |
283 |
+ |
284 |
+ if [[ -L ${EROOT}/bin/sh ]] ; then |
285 |
+ # rewrite the symlink to ensure that its mtime changes. having /bin/sh |
286 |
+ # missing even temporarily causes a fatal error with paludis. |
287 |
+ local target=$(readlink "${EROOT}"/bin/sh) |
288 |
+ local tmp=$(emktemp "${EROOT}"/bin) |
289 |
+ ln -sf "${target}" "${tmp}" |
290 |
+ mv -f "${tmp}" "${EROOT}"/bin/sh |
291 |
+ fi |
292 |
+} |
293 |
+ |
294 |
+pkg_postinst() { |
295 |
+ # If /bin/sh does not exist, provide it |
296 |
+ if [[ ! -e ${EROOT}/bin/sh ]] ; then |
297 |
+ ln -sf bash "${EROOT}"/bin/sh |
298 |
+ fi |
299 |
+} |
300 |
|
301 |
diff --git a/app-shells/bash/files/bash-5.0_p11-disable_priv_mode.patch b/app-shells/bash/files/bash-5.0_p11-disable_priv_mode.patch |
302 |
new file mode 100644 |
303 |
index 00000000000..9a05c8b8613 |
304 |
--- /dev/null |
305 |
+++ b/app-shells/bash/files/bash-5.0_p11-disable_priv_mode.patch |
306 |
@@ -0,0 +1,85 @@ |
307 |
+diff -urP ../bash-5.0.orig/config.h.in config.h.in |
308 |
+--- ../bash-5.0.orig/config.h.in 2018-12-04 09:54:17.000000000 -0700 |
309 |
++++ config.h.in 2019-12-10 11:34:42.157926317 -0700 |
310 |
+@@ -1,6 +1,6 @@ |
311 |
+ /* config.h -- Configuration file for bash. */ |
312 |
+ |
313 |
+-/* Copyright (C) 1987-2009,2011-2012 Free Software Foundation, Inc. |
314 |
++/* Copyright (C) 1987-2009,2011-2012,2013-2019 Free Software Foundation, Inc. |
315 |
+ |
316 |
+ This file is part of GNU Bash, the Bourne Again SHell. |
317 |
+ |
318 |
+@@ -807,6 +807,14 @@ |
319 |
+ #undef HAVE_SETREGID |
320 |
+ #undef HAVE_DECL_SETREGID |
321 |
+ |
322 |
++/* Define if you have the setregid function. */ |
323 |
++#undef HAVE_SETRESGID |
324 |
++#undef HAVE_DECL_SETRESGID |
325 |
++ |
326 |
++/* Define if you have the setresuid function. */ |
327 |
++#undef HAVE_SETRESUID |
328 |
++#undef HAVE_DECL_SETRESUID |
329 |
++ |
330 |
+ /* Define if you have the setvbuf function. */ |
331 |
+ #undef HAVE_SETVBUF |
332 |
+ |
333 |
+diff -urP ../bash-5.0.orig/configure configure |
334 |
+--- ../bash-5.0.orig/configure 2019-01-02 07:43:31.000000000 -0700 |
335 |
++++ configure 2019-12-10 11:34:42.166926317 -0700 |
336 |
+@@ -10281,6 +10281,17 @@ |
337 |
+ #define HAVE_DECL_SETREGID $ac_have_decl |
338 |
+ _ACEOF |
339 |
+ |
340 |
++ac_fn_c_check_decl "$LINENO" "" "ac_cv_have_decl_" "$ac_includes_default" |
341 |
++if test "x$ac_cv_have_decl_" = xyes; then : |
342 |
++ ac_have_decl=1 |
343 |
++else |
344 |
++ ac_have_decl=0 |
345 |
++fi |
346 |
++ |
347 |
++cat >>confdefs.h <<_ACEOF |
348 |
++#define HAVE_DECL_ $ac_have_decl |
349 |
++_ACEOF |
350 |
++(setresuid, setresgid) |
351 |
+ ac_fn_c_check_decl "$LINENO" "strcpy" "ac_cv_have_decl_strcpy" "$ac_includes_default" |
352 |
+ if test "x$ac_cv_have_decl_strcpy" = xyes; then : |
353 |
+ ac_have_decl=1 |
354 |
+diff -urP ../bash-5.0.orig/configure.ac configure.ac |
355 |
+--- ../bash-5.0.orig/configure.ac 2019-01-02 07:39:11.000000000 -0700 |
356 |
++++ configure.ac 2019-12-10 11:34:42.168926317 -0700 |
357 |
+@@ -810,6 +810,7 @@ |
358 |
+ AC_CHECK_DECLS([printf]) |
359 |
+ AC_CHECK_DECLS([sbrk]) |
360 |
+ AC_CHECK_DECLS([setregid]) |
361 |
++AC_CHECK_DECLS[(setresuid, setresgid]) |
362 |
+ AC_CHECK_DECLS([strcpy]) |
363 |
+ AC_CHECK_DECLS([strsignal]) |
364 |
+ |
365 |
+diff -urP ../bash-5.0.orig/shell.c shell.c |
366 |
+--- ../bash-5.0.orig/shell.c 2018-12-06 09:28:21.000000000 -0700 |
367 |
++++ shell.c 2019-12-10 11:34:42.170926317 -0700 |
368 |
+@@ -1293,7 +1293,11 @@ |
369 |
+ { |
370 |
+ int e; |
371 |
+ |
372 |
++#if HAVE_DECL_SETRESUID |
373 |
++ if (setresuid (current_user.uid, current_user.uid, current_user.uid) < 0) |
374 |
++#else |
375 |
+ if (setuid (current_user.uid) < 0) |
376 |
++#endif |
377 |
+ { |
378 |
+ e = errno; |
379 |
+ sys_error (_("cannot set uid to %d: effective uid %d"), current_user.uid, current_user.euid); |
380 |
+@@ -1302,7 +1306,11 @@ |
381 |
+ exit (e); |
382 |
+ #endif |
383 |
+ } |
384 |
++#if HAVE_DECL_SETRESGID |
385 |
++ if (setresgid (current_user.gid, current_user.gid, current_user.gid) < 0) |
386 |
++#else |
387 |
+ if (setgid (current_user.gid) < 0) |
388 |
++#endif |
389 |
+ sys_error (_("cannot set gid to %d: effective gid %d"), current_user.gid, current_user.egid); |
390 |
+ |
391 |
+ current_user.euid = current_user.uid; |