On 2014-09-30 14:58:07 -0400, Jason Hellenthal wrote: > echo "Testing Exploit 1 (CVE-2014-6271)" > CVE6271="$(env x='() { :;}; echo -n V' bash -c : 2>/dev/null)" > [ "${CVE7187}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE" > > echo "Testing Exploit 2 (CVE-2014-7169)" > CVE7169="$(env X='() { (4lpi.com)=>\' bash -c "echo date" 2>/dev/null; cat > echo 2>/dev/null; rm -f echo)" > [ ! "${CVE7169}" == "date" ] && echo "VULNERABLE" || echo "NOT VULNERABLE" > > echo "Testing Exploit 3 (CVE-2014-6277)" > CVE6277="$(env -i X=' () { }; echo -n V' bash -c :)" > [ "${CVE6277}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE" > > echo "Testing Exploit 4 (CVE-2014-7186)" > CVE7186="$(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF > <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null ||echo -n V)" > [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE" > > echo "Testing Exploit 5 (CVE-2014-7187)" > CVE7187="$((for x in {1..200}; do echo "for x$x in ; do :"; done; for x in > {1..200}; do echo done; done) |bash 2>/dev/null ||echo -n V)" > [ "${CVE7187}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLEā > > Good luck ;-)
Yes, it passes all tests (the patch attached). Jung-uk Kim
--- parse.y.orig 2014-09-30 12:58:08.462512373 -0400 +++ parse.y 2014-09-30 12:58:08.629018000 -0400 @@ -265,9 +265,21 @@ /* Variables to manage the task of reading here documents, because we need to defer the reading until after a complete command has been collected. */ -static REDIRECT *redir_stack[10]; +static REDIRECT **redir_stack; int need_here_doc; +/* Pushes REDIR onto redir_stack, resizing it as needed. */ +static void +push_redir_stack (REDIRECT *redir) +{ + /* Guard against oveflow. */ + if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack)) + abort (); + redir_stack = xrealloc (redir_stack, + (need_here_doc + 1) * sizeof (*redir_stack)); + redir_stack[need_here_doc++] = redir; +} + /* Where shell input comes from. History expansion is performed on each line when the shell is interactive. */ static char *shell_input_line = (char *)NULL; @@ -520,42 +532,42 @@ source.dest = 0; redir.filename = $2; $$ = make_redirection (source, r_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | NUMBER LESS_LESS WORD { source.dest = $1; redir.filename = $3; $$ = make_redirection (source, r_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | REDIR_WORD LESS_LESS WORD { source.filename = $1; redir.filename = $3; $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | LESS_LESS_MINUS WORD { source.dest = 0; redir.filename = $2; $$ = make_redirection (source, r_deblank_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | NUMBER LESS_LESS_MINUS WORD { source.dest = $1; redir.filename = $3; $$ = make_redirection (source, r_deblank_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | REDIR_WORD LESS_LESS_MINUS WORD { source.filename = $1; redir.filename = $3; $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | LESS_LESS_LESS WORD { @@ -4905,7 +4917,7 @@ case CASE: case SELECT: case FOR: - if (word_top < MAX_CASE_NEST) + if (word_top + 1 < MAX_CASE_NEST) word_top++; word_lineno[word_top] = line_number; break;
_______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"