BASH PATCH REPORT

			     =================

Bash-Release:	4.2

Patch-ID:	bash42-053

Bug-Reported-by:	Michal Zalewski <lcamtuf@coredump.cx>

Bug-Reference-ID:

Bug-Reference-URL:

Bug-Description:

A combination of nested command substitutions and function importing from

the environment can cause bash to execute code appearing in the environment

variable value following the function definition.

Patch (apply with `patch -p0'):

*** ../bash-4.2.52/builtins/evalstring.c	2014-09-16 19:35:45.000000000 -0400

--- builtins/evalstring.c	2014-10-04 15:00:26.000000000 -0400

***************

*** 262,271 ****

  	      struct fd_bitmap *bitmap;

! 	      if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)

  		{

! 		  internal_warning ("%s: ignoring function definition attempt", from_file);

! 		  should_jump_to_top_level = 0;

! 		  last_result = last_command_exit_value = EX_BADUSAGE;

! 		  break;

  		}

--- 262,284 ----

  	      struct fd_bitmap *bitmap;

! 	      if (flags & SEVAL_FUNCDEF)

  		{

! 		  char *x;

! 

! 		  /* If the command parses to something other than a straight

! 		     function definition, or if we have not consumed the entire

! 		     string, or if the parser has transformed the function

! 		     name (as parsing will if it begins or ends with shell

! 		     whitespace, for example), reject the attempt */

! 		  if (command->type != cm_function_def ||

! 		      ((x = parser_remaining_input ()) && *x) ||

! 		      (STREQ (from_file, command->value.Function_def->name->word) == 0))

! 		    {

! 		      internal_warning (_("%s: ignoring function definition attempt"), from_file);

! 		      should_jump_to_top_level = 0;

! 		      last_result = last_command_exit_value = EX_BADUSAGE;

! 		      reset_parser ();

! 		      break;

! 		    }

  		}

***************

*** 332,336 ****

  	      if (flags & SEVAL_ONECMD)

! 		break;

  	    }

  	}

--- 345,352 ----

  	      if (flags & SEVAL_ONECMD)

! 		{

! 		  reset_parser ();

! 		  break;

! 		}

  	    }

  	}

*** ../bash-4.2.52/parse.y	2014-09-30 19:24:19.000000000 -0400

--- parse.y	2014-10-04 15:00:26.000000000 -0400

***************

*** 2436,2439 ****

--- 2436,2449 ----

  }

+ char *

+ parser_remaining_input ()

+ {

+   if (shell_input_line == 0)

+     return 0;

+   if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len)

+     return '\0';	/* XXX */

+   return (shell_input_line + shell_input_line_index);

+ }

+ 

  #ifdef INCLUDE_UNUSED

  /* Back the input pointer up by one, effectively `ungetting' a character. */

***************

*** 3891,3896 ****

    /* reset_parser clears shell_input_line and associated variables */

    restore_input_line_state (&ls);

!   if (interactive)

!     token_to_read = 0;

    /* Need to find how many characters parse_and_execute consumed, update

--- 3901,3906 ----

    /* reset_parser clears shell_input_line and associated variables */

    restore_input_line_state (&ls);

! 

!   token_to_read = 0;

    /* Need to find how many characters parse_and_execute consumed, update

*** ../bash-4.2.52/shell.h	2011-11-21 18:03:32.000000000 -0500

--- shell.h	2014-10-04 15:00:26.000000000 -0400

***************

*** 178,181 ****

--- 178,183 ----

  /* Let's try declaring these here. */

+ extern char *parser_remaining_input __P((void));

+ 

  extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *));

  extern void restore_parser_state __P((sh_parser_state_t *));