From 31dca5f935e41e55ec55934dc480ba1c514652e6 Mon Sep 17 00:00:00 2001 From: Chet Ramey Date: Mon, 25 Nov 2019 00:41:59 +0100 Subject: Bash-4.3 patch 47 Bash performs word expansions on the prompt strings after the special escape sequences are expanded. If a malicious user can modify the system hostname or change the name of the bash executable and coerce a user into executing it, and the new name contains word expansions (including command substitution), bash will expand them in prompt strings containing the \h or \H and \s escape sequences, respectively. Change-Id: I6edd2a0b537a63dab1cf2b6908429586d7c5b0f1 --- parse.y | 20 ++++++++++++++++---- patchlevel.h | 2 +- y.tab.c | 20 ++++++++++++++++---- 3 files changed, 33 insertions(+), 9 deletions(-) diff --git a/parse.y b/parse.y index 484e6fe..7c6e4e0 100644 --- a/parse.y +++ b/parse.y @@ -5258,7 +5258,7 @@ decode_prompt_string (string) #if defined (PROMPT_STRING_DECODE) int result_size, result_index; int c, n, i; - char *temp, octal_string[4]; + char *temp, *t_host, octal_string[4]; struct tm *tm; time_t the_time; char timebuf[128]; @@ -5406,7 +5406,11 @@ decode_prompt_string (string) case 's': temp = base_pathname (shell_name); - temp = savestring (temp); + /* Try to quote anything the user can set in the file system */ + if (promptvars || posixly_correct) + temp = sh_backslash_quote_for_double_quotes (temp); + else + temp = savestring (temp); goto add_string; case 'v': @@ -5496,9 +5500,17 @@ decode_prompt_string (string) case 'h': case 'H': - temp = savestring (current_host_name); - if (c == 'h' && (t = (char *)strchr (temp, '.'))) + t_host = savestring (current_host_name); + if (c == 'h' && (t = (char *)strchr (t_host, '.'))) *t = '\0'; + if (promptvars || posixly_correct) + /* Make sure that expand_prompt_string is called with a + second argument of Q_DOUBLE_QUOTES if we use this + function here. */ + temp = sh_backslash_quote_for_double_quotes (t_host); + else + temp = savestring (t_host); + free (t_host); goto add_string; case '#': diff --git a/patchlevel.h b/patchlevel.h index 22bb68c..d243f2d 100644 --- a/patchlevel.h +++ b/patchlevel.h @@ -25,6 +25,6 @@ regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh looks for to find the patch level (for the sccs version string). */ -#define PATCHLEVEL 46 +#define PATCHLEVEL 47 #endif /* _PATCHLEVEL_H_ */ diff --git a/y.tab.c b/y.tab.c index 83c9367..f85e2d7 100644 --- a/y.tab.c +++ b/y.tab.c @@ -7570,7 +7570,7 @@ decode_prompt_string (string) #if defined (PROMPT_STRING_DECODE) int result_size, result_index; int c, n, i; - char *temp, octal_string[4]; + char *temp, *t_host, octal_string[4]; struct tm *tm; time_t the_time; char timebuf[128]; @@ -7718,7 +7718,11 @@ decode_prompt_string (string) case 's': temp = base_pathname (shell_name); - temp = savestring (temp); + /* Try to quote anything the user can set in the file system */ + if (promptvars || posixly_correct) + temp = sh_backslash_quote_for_double_quotes (temp); + else + temp = savestring (temp); goto add_string; case 'v': @@ -7808,9 +7812,17 @@ decode_prompt_string (string) case 'h': case 'H': - temp = savestring (current_host_name); - if (c == 'h' && (t = (char *)strchr (temp, '.'))) + t_host = savestring (current_host_name); + if (c == 'h' && (t = (char *)strchr (t_host, '.'))) *t = '\0'; + if (promptvars || posixly_correct) + /* Make sure that expand_prompt_string is called with a + second argument of Q_DOUBLE_QUOTES if we use this + function here. */ + temp = sh_backslash_quote_for_double_quotes (t_host); + else + temp = savestring (t_host); + free (t_host); goto add_string; case '#': -- cgit v1.2.3