main/bash: fix for CVE-2016-9401

fixes #6654

1 files changed, 27 insertions, 0 deletions

diff --git a/main/bash/CVE-2016-9401.patch b/main/bash/CVE-2016-9401.patch
new file mode 100644
index 0000000000..4237330e6d
--- /dev/null
+++ b/main/bash/CVE-2016-9401.patch
@@ -0,0 +1,27 @@
+*** ../bash-4.4-patched/builtins/pushd.def	2016-01-25 13:31:49.000000000 -0500
+--- builtins/pushd.def	2016-10-28 10:46:49.000000000 -0400
+***************
+*** 366,370 ****
+      }
+  
+!   if (which > directory_list_offset || (directory_list_offset == 0 && which == 0))
+      {
+        pushd_error (directory_list_offset, which_word ? which_word : "");
+--- 366,370 ----
+      }
+  
+!   if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0))
+      {
+        pushd_error (directory_list_offset, which_word ? which_word : "");
+***************
+*** 388,391 ****
+--- 388,396 ----
+  	 of the list into place. */
+        i = (direction == '+') ? directory_list_offset - which : which;
++       if (i < 0 || i > directory_list_offset)
++ 	{
++ 	  pushd_error (directory_list_offset, which_word ? which_word : "");
++ 	  return (EXECUTION_FAILURE);
++ 	}
+        free (pushd_directory_list[i]);
+        directory_list_offset--;