[OE-core] bash: Fix CVE-2019-18276

[Richard Purdie]

On Tue, 2020-02-18 at 14:41 +0800, Phil Reid wrote:
> On 17/02/2020 17:55, Richard Purdie wrote:
> > On Mon, 2020-02-17 at 07:44 +0100, Andrey Zhizhikin wrote:
> > > On Mon, Feb 17, 2020 at 4:26 AM Phil Reid <
> > > preid at electromag.com.au>
> > > wrote:
> > > > Hi All,
> > > > 
> > > > I recently started get the following failure with bash after
> > > > "b348e31c93f0 bash: Fix CVE-2019-18276"
> > > > was applied to zeus.
> > > > 
> > > > Any thoughts?
> > > > 
> > > > 
> > > > NOTE: Applying patch 'bash50-001' (downloads/bash50-001)
> > > > NOTE: Applying patch 'bash50-002' (downloads/bash50-002)
> > > > NOTE: Applying patch 'bash50-003' (downloads/bash50-003)
> > > > NOTE: Applying patch 'bash50-004' (downloads/bash50-004)
> > > > NOTE: Applying patch 'bash50-005' (downloads/bash50-005)
> > > > NOTE: Applying patch 'bash50-006' (downloads/bash50-006)
> > > > NOTE: Applying patch 'bash50-007' (downloads/bash50-007)
> > > > NOTE: Applying patch 'execute_cmd.patch' (layers/openembedded-
> > > > core/meta/recipes-extended/bash/bash/execute_cmd.patch)
> > > > NOTE: Applying patch 'mkbuiltins_have_stringize.patch'
> > > > (layers/openembedded-core/meta/recipes-
> > > > extended/bash/bash/mkbuiltins_have_stringize.patch)
> > > > NOTE: Applying patch 'build-tests.patch' (layers/openembedded-
> > > > core/meta/recipes-extended/bash/bash/build-tests.patch)
> > > > NOTE: Applying patch 'test-output.patch' (layers/openembedded-
> > > > core/meta/recipes-extended/bash/bash/test-output.patch)
> > > > NOTE: Applying patch 'fix-run-builtins.patch'
> > > > (layers/openembedded-
> > > > core/meta/recipes-extended/bash/bash/fix-run-builtins.patch)
> > > > NOTE: Applying patch 'bash-CVE-2019-18276.patch'
> > > > (layers/openembedded-core/meta/recipes-extended/bash/bash/bash-
> > > > CVE-
> > > > 2019-18276.patch)
> > > > ERROR: Command Error: 'quilt --quiltrc
> > > > /home/preid/dev/linux/v2019.11/tmp-glibc/work/cortexa9t2hf-
> > > > neon-
> > > > emit-linux-gnueabi/bash/5.0-r0/recipe-sysroot-
> > > > native/etc/quiltrc
> > > > push' exited with 0  Output:
> > > > Applying patch bash-CVE-2019-18276.patch
> > > > patching file MANIFEST
> > > > patching file bashline.c
> > > > patching file builtins/help.def
> > > > patching file config.h.in
> > > > patching file configure
> > > > Hunk #1 FAILED at 10281.
> > > > 1 out of 1 hunk FAILED -- rejects in file configure
> > > > patching file configure.ac
> > > > patching file doc/bash.1
> > > > patching file doc/bashref.texi
> > > > patching file lib/glob/glob.c
> > > > patching file pathexp.c
> > > > patching file shell.c
> > > > patching file tests/glob.tests
> > > > patching file tests/glob6.sub
> > > > patching file tests/glob7.sub
> > > > Patch bash-CVE-2019-18276.patch does not apply (enforce with
> > > > -f)
> > > > DEBUG: Python function patch_do_patch finished
> > > > DEBUG: Python function do_patch finished
> > > 
> > > Had the same issue the day before, re-building bash clean solved
> > > it.
> > > At first I wanted to report it as well, but then after I tried "-
> > > c
> > > cleanall" - the issue was gone.
> > > 
> > > Try to do a clean build of bash and see if it is still
> > > reproducible.
> > 
> > I think I understand what happens here. When you do a rebuild,
> > bitbake
> > tries to pop off all the old patches, then apply the new ones.
> > 
> > In this case its patching configure which we rebuild. It therefore
> > can't apply the new patch to configure since its changed by the
> > do_configure task.
> > 
> > The fix is to remove the configure change from the patch since we
> > just
> > need the configure.ac piece.
> > 
> I've run "bitbake -c cleanall bash" and the build has then succeeded.
> I guess we wait and see if it pops up again when bash needs to be
> rebuilt.
> 
> I did try quickly hacking the patch and removing the configure patch
> section, but the resulting configure looked different. So I went with
> the easy option above.

Reproducing should be as simple as:

bitbake bash -c configure
bitbake bash -c patch -f

Cheers,

Richard