[OE-core] bash: Fix CVE-2019-18276
Phil Reid
preid at electromag.com.au
Tue Feb 18 06:41:16 UTC 2020
On 17/02/2020 17:55, Richard Purdie wrote:
> On Mon, 2020-02-17 at 07:44 +0100, Andrey Zhizhikin wrote:
>> On Mon, Feb 17, 2020 at 4:26 AM Phil Reid <preid at electromag.com.au>
>> wrote:
>>> Hi All,
>>>
>>> I recently started get the following failure with bash after
>>> "b348e31c93f0 bash: Fix CVE-2019-18276"
>>> was applied to zeus.
>>>
>>> Any thoughts?
>>>
>>>
>>> NOTE: Applying patch 'bash50-001' (downloads/bash50-001)
>>> NOTE: Applying patch 'bash50-002' (downloads/bash50-002)
>>> NOTE: Applying patch 'bash50-003' (downloads/bash50-003)
>>> NOTE: Applying patch 'bash50-004' (downloads/bash50-004)
>>> NOTE: Applying patch 'bash50-005' (downloads/bash50-005)
>>> NOTE: Applying patch 'bash50-006' (downloads/bash50-006)
>>> NOTE: Applying patch 'bash50-007' (downloads/bash50-007)
>>> NOTE: Applying patch 'execute_cmd.patch' (layers/openembedded-
>>> core/meta/recipes-extended/bash/bash/execute_cmd.patch)
>>> NOTE: Applying patch 'mkbuiltins_have_stringize.patch'
>>> (layers/openembedded-core/meta/recipes-
>>> extended/bash/bash/mkbuiltins_have_stringize.patch)
>>> NOTE: Applying patch 'build-tests.patch' (layers/openembedded-
>>> core/meta/recipes-extended/bash/bash/build-tests.patch)
>>> NOTE: Applying patch 'test-output.patch' (layers/openembedded-
>>> core/meta/recipes-extended/bash/bash/test-output.patch)
>>> NOTE: Applying patch 'fix-run-builtins.patch' (layers/openembedded-
>>> core/meta/recipes-extended/bash/bash/fix-run-builtins.patch)
>>> NOTE: Applying patch 'bash-CVE-2019-18276.patch'
>>> (layers/openembedded-core/meta/recipes-extended/bash/bash/bash-CVE-
>>> 2019-18276.patch)
>>> ERROR: Command Error: 'quilt --quiltrc
>>> /home/preid/dev/linux/v2019.11/tmp-glibc/work/cortexa9t2hf-neon-
>>> emit-linux-gnueabi/bash/5.0-r0/recipe-sysroot-native/etc/quiltrc
>>> push' exited with 0 Output:
>>> Applying patch bash-CVE-2019-18276.patch
>>> patching file MANIFEST
>>> patching file bashline.c
>>> patching file builtins/help.def
>>> patching file config.h.in
>>> patching file configure
>>> Hunk #1 FAILED at 10281.
>>> 1 out of 1 hunk FAILED -- rejects in file configure
>>> patching file configure.ac
>>> patching file doc/bash.1
>>> patching file doc/bashref.texi
>>> patching file lib/glob/glob.c
>>> patching file pathexp.c
>>> patching file shell.c
>>> patching file tests/glob.tests
>>> patching file tests/glob6.sub
>>> patching file tests/glob7.sub
>>> Patch bash-CVE-2019-18276.patch does not apply (enforce with -f)
>>> DEBUG: Python function patch_do_patch finished
>>> DEBUG: Python function do_patch finished
>>
>> Had the same issue the day before, re-building bash clean solved it.
>> At first I wanted to report it as well, but then after I tried "-c
>> cleanall" - the issue was gone.
>>
>> Try to do a clean build of bash and see if it is still reproducible.
>
> I think I understand what happens here. When you do a rebuild, bitbake
> tries to pop off all the old patches, then apply the new ones.
>
> In this case its patching configure which we rebuild. It therefore
> can't apply the new patch to configure since its changed by the
> do_configure task.
>
> The fix is to remove the configure change from the patch since we just
> need the configure.ac piece.
>
I've run "bitbake -c cleanall bash" and the build has then succeeded.
I guess we wait and see if it pops up again when bash needs to be rebuilt.
I did try quickly hacking the patch and removing the configure patch section, but
the resulting configure looked different. So I went with the easy option above.
Thanks
Phil
More information about the Openembedded-core
mailing list