From 1d932a05bbc049beee858c440ffa05a65c606820 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 05 2015 13:09:27 +0000 Subject: import bash-4.2.46-12.el7 --- diff --git a/SOURCES/bash-4.2-brace-expand.patch b/SOURCES/bash-4.2-brace-expand.patch new file mode 100644 index 0000000..e723956 --- /dev/null +++ b/SOURCES/bash-4.2-brace-expand.patch @@ -0,0 +1,24 @@ +diff --git a/braces.c b/braces.c +index 2febed7..61c1ab1 100644 +--- a/braces.c ++++ b/braces.c +@@ -529,6 +529,11 @@ brace_gobbler (text, tlen, indx, satisfy) + { + if (c == quoted) + quoted = 0; ++#if defined (SHELL) ++ /* The shell allows quoted command substitutions */ ++ if (quoted == '"' && c == '$' && text[i+1] == '(') /*)*/ ++ goto comsub; ++#endif + ADVANCE_CHAR (text, tlen, i); + continue; + } +@@ -551,6 +556,7 @@ brace_gobbler (text, tlen, indx, satisfy) + /* Pass new-style command and process substitutions through unchanged. */ + if ((c == '$' || c == '<' || c == '>') && text[i+1] == '(') /* ) */ + { ++comsub: + si = i + 2; + t = extract_command_subst (text, &si, 0); + i = si; diff --git a/SOURCES/bash-4.2-extglob-man.patch b/SOURCES/bash-4.2-extglob-man.patch new file mode 100644 index 0000000..295467e --- /dev/null +++ b/SOURCES/bash-4.2-extglob-man.patch @@ -0,0 +1,28 @@ +diff --git a/doc/bash.1 b/doc/bash.1 +--- a/doc/bash.1 2010-07-28 08:42:54.000000000 +0200 ++++ b/doc/bash.1 2010-07-28 08:43:17.000000000 +0200 +@@ -3220,8 +3220,7 @@ + .RE + .PD + .PP +-If the \fBextglob\fP shell option is enabled using the \fBshopt\fP +-builtin, several extended pattern matching operators are recognized. ++Several extended pattern matching operators are recognized. + In the following description, a \fIpattern-list\fP is a list of one + or more patterns separated by a \fB|\fP. + Composite patterns may be formed using one or more of the following +@@ -3241,6 +3240,14 @@ + .TP + \fB@(\fP\^\fIpattern-list\^\fP\fB)\fP + Matches one of the given patterns ++.RE ++.PD ++.PP ++If the \fBextglob\fP shell option is enabled using the \fBshopt\fP ++builtin, following pattern matching operator is recognized as well: ++.sp 1 ++.PD 0 ++.RS + .TP + \fB!(\fP\^\fIpattern-list\^\fP\fB)\fP + Matches anything except one of the given patterns diff --git a/SOURCES/bash-4.2-history-hang.patch b/SOURCES/bash-4.2-history-hang.patch new file mode 100644 index 0000000..da209c8 --- /dev/null +++ b/SOURCES/bash-4.2-history-hang.patch @@ -0,0 +1,11 @@ +--- a/lib/readline/history.c 2014-05-27 16:55:58.040214069 +0200 ++++ b/lib/readline/history.c 2014-05-27 16:56:11.243204928 +0200 +@@ -318,7 +318,7 @@ add_history_time (string) + { + HIST_ENTRY *hs; + +- if (string == 0) ++ if (string == 0 || history_length < 1) + return; + hs = the_history[history_length - 1]; + FREE (hs->timestamp); diff --git a/SOURCES/bash-4.2-man-ulimit.patch b/SOURCES/bash-4.2-man-ulimit.patch new file mode 100644 index 0000000..fdba544 --- /dev/null +++ b/SOURCES/bash-4.2-man-ulimit.patch @@ -0,0 +1,24 @@ +From ccd35766d2451677f4c49f66b8e18ad6e274d56a Mon Sep 17 00:00:00 2001 +From: Jan Chaloupka +Date: Mon, 7 Jul 2014 07:15:41 +0200 +Subject: [PATCH] bash.1: posix block size for cf options + +--- + doc/bash.1 | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/doc/bash.1 b/doc/bash.1 +index a4ad746..1916515 100644 +--- a/doc/bash.1 ++++ b/doc/bash.1 +@@ -9451,6 +9451,7 @@ and + which are unscaled values. + The return status is 0 unless an invalid option or argument is supplied, + or an error occurs while setting a new limit. ++In POSIX Mode 512-byte blocks are used for the `-c' and `-f' options. + .RE + .TP + \fBumask\fP [\fB\-p\fP] [\fB\-S\fP] [\fImode\fP] +-- +1.9.3 + diff --git a/SOURCES/bash-4.2-manpage.patch b/SOURCES/bash-4.2-manpage.patch new file mode 100644 index 0000000..08ae11f --- /dev/null +++ b/SOURCES/bash-4.2-manpage.patch @@ -0,0 +1,53 @@ +diff -up bash-4.2/doc/bash.1.manpage bash-4.2/doc/bash.1 +--- bash-4.2/doc/bash.1.manpage 2011-01-26 15:30:03.000000000 +0100 ++++ bash-4.2/doc/bash.1 2011-01-26 15:47:16.000000000 +0100 +@@ -6646,7 +6646,9 @@ must be \(>= 1. If + .I n + is greater than the number of enclosing loops, all enclosing loops + are exited. +-The return value is 0 unless \fIn\fP is not greater than or equal to 1. ++The return value is non-zero when \fIn\fP is \(<= 0; Otherwise, ++.BR break ++returns 0 value. + .TP + \fBbuiltin\fP \fIshell\-builtin\fP [\fIarguments\fP] + Execute the specified shell builtin, passing it +@@ -7017,7 +7019,15 @@ must be \(>= 1. If + .I n + is greater than the number of enclosing loops, the last enclosing loop + (the ``top-level'' loop) is resumed. +-The return value is 0 unless \fIn\fP is not greater than or equal to 1. ++When ++.BR continue ++is executed inside of loop, the return value is non-zero when ++.I n ++is \(<= 0; Otherwise, ++.BR continue ++returns 0 value. When ++.BR continue ++is executed outside of loop, the return value is 0. + .TP + \fBdeclare\fP [\fB\-aAfFgilrtux\fP] [\fB\-p\fP] [\fIname\fP[=\fIvalue\fP] ...] + .PD 0 +@@ -9019,9 +9029,19 @@ by default. + Suspend the execution of this shell until it receives a + .SM + .B SIGCONT +-signal. A login shell cannot be suspended; the ++signal. When the suspended shell is a background process, it can be restarted ++by the ++.B fg ++command. For more information, read the ++.SM ++.B JOB CONTROL ++section. The ++.B suspend ++command can not suspend the login shell. However, when + .B \-f +-option can be used to override this and force the suspension. ++option is specified, ++.B suspend ++command can suspend even login shell. + The return status is 0 unless the shell is a login shell and + .B \-f + is not supplied, or if job control is not enabled. diff --git a/SOURCES/bash-4.2-noecho.patch b/SOURCES/bash-4.2-noecho.patch new file mode 100644 index 0000000..4d0f747 --- /dev/null +++ b/SOURCES/bash-4.2-noecho.patch @@ -0,0 +1,39 @@ +--- bash-4.2/parse.y 2014-05-29 14:46:09.545543384 +0200 ++++ bash-4.2/parse.y 2014-05-29 14:48:40.758626213 +0200 +@@ -3858,6 +3858,8 @@ xparse_dolparen (base, string, indp, fla + sflags |= SEVAL_NOLONGJMP; + save_parser_state (&ps); + save_input_line_state (&ls); ++ /* avoid echoing every substitution again */ ++ echo_input_at_read = 0; + + /*(*/ + parser_state |= PST_CMDSUBST|PST_EOFTOKEN; /* allow instant ')' */ /*(*/ +--- bash-4.2/subst.c 2014-05-29 16:04:35.802784549 +0200 ++++ bash-4.2/subst.c 2014-05-29 16:08:25.021942676 +0200 +@@ -7103,6 +7103,7 @@ param_expand (string, sindex, quoted, ex + WORD_LIST *list; + WORD_DESC *tdesc, *ret; + int tflag; ++ int old_echo_input; + + zindex = *sindex; + c = string[++zindex]; +@@ -7401,6 +7402,9 @@ arithsub: + } + + comsub: ++ old_echo_input = echo_input_at_read; ++ /* avoid echoing every substitution again */ ++ echo_input_at_read = 0; + if (pflags & PF_NOCOMSUB) + /* we need zindex+1 because string[zindex] == RPAREN */ + temp1 = substring (string, *sindex, zindex+1); +@@ -7413,6 +7417,7 @@ comsub: + } + FREE (temp); + temp = temp1; ++ echo_input_at_read = old_echo_input; + break; + + /* Do POSIX.2d9-style arithmetic substitution. This will probably go diff --git a/SOURCES/bash42-046 b/SOURCES/bash42-046 new file mode 100644 index 0000000..03a489e --- /dev/null +++ b/SOURCES/bash42-046 @@ -0,0 +1,55 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.2 +Patch-ID: bash42-046 + +Bug-Reported-by: "Theodoros V. Kalamatianos" +Bug-Reference-ID: <20140112011131.GE17667@infinity.metashade.com> +Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2014-01/msg00044.html + +Bug-Description: + +Bash-4.2 patch 32 introduced a problem with "$@" and arrays expanding empty +positional parameters or array elements when using substring expansion, +pattern substitution, or case modfication. The empty parameters or array +elements are removed instead of expanding to empty strings (""). + +Patch (apply with `patch -p0'): + +*** ../bash-4.2-patched/subst.c 2012-12-31 11:52:56.000000000 -0500 +--- subst.c 2014-03-31 14:19:56.000000000 -0400 +*************** +*** 7243,7247 **** + ret = alloc_word_desc (); + ret->word = temp1; +! if (temp1 && QUOTED_NULL (temp1) && (quoted & (Q_HERE_DOCUMENT|Q_DOUBLE_QUOTES))) + ret->flags |= W_QUOTED|W_HASQUOTEDNULL; + return ret; +--- 7243,7253 ---- + ret = alloc_word_desc (); + ret->word = temp1; +! /* We test quoted_dollar_atp because we want variants with double-quoted +! "$@" to take a different code path. In fact, we make sure at the end +! of expand_word_internal that we're only looking at these flags if +! quoted_dollar_at == 0. */ +! if (temp1 && +! (quoted_dollar_atp == 0 || *quoted_dollar_atp == 0) && +! QUOTED_NULL (temp1) && (quoted & (Q_HERE_DOCUMENT|Q_DOUBLE_QUOTES))) + ret->flags |= W_QUOTED|W_HASQUOTEDNULL; + return ret; +*** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010 +--- patchlevel.h Thu Feb 24 21:41:34 2011 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 45 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 46 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/SOURCES/bash42-052 b/SOURCES/bash42-052 new file mode 100644 index 0000000..686dbd4 --- /dev/null +++ b/SOURCES/bash42-052 @@ -0,0 +1,44 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.2 +Patch-ID: bash42-052 + +Bug-Reported-by: Michal Zalewski +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +When bash is parsing a function definition that contains a here-document +delimited by end-of-file (or end-of-string), it leaves the closing delimiter +uninitialized. This can result in an invalid memory access when the parsed +function is later copied. + +Patch (apply with `patch -p0'): + +*** ../bash-4.2.51/make_cmd.c 2009-09-11 17:26:12.000000000 -0400 +--- make_cmd.c 2014-10-02 11:26:58.000000000 -0400 +*************** +*** 690,693 **** +--- 690,694 ---- + temp->redirector = source; + temp->redirectee = dest_and_filename; ++ temp->here_doc_eof = 0; + temp->instruction = instruction; + temp->flags = 0; +*** ../bash-4.2.51/copy_cmd.c 2009-09-11 16:28:02.000000000 -0400 +--- copy_cmd.c 2014-10-02 11:26:58.000000000 -0400 +*************** +*** 127,131 **** + case r_reading_until: + case r_deblank_reading_until: +! new_redirect->here_doc_eof = savestring (redirect->here_doc_eof); + /*FALLTHROUGH*/ + case r_reading_string: +--- 127,131 ---- + case r_reading_until: + case r_deblank_reading_until: +! new_redirect->here_doc_eof = redirect->here_doc_eof ? savestring (redirect->here_doc_eof) : 0; + /*FALLTHROUGH*/ + case r_reading_string: diff --git a/SOURCES/bash42-053 b/SOURCES/bash42-053 new file mode 100644 index 0000000..d0485f3 --- /dev/null +++ b/SOURCES/bash42-053 @@ -0,0 +1,117 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.2 +Patch-ID: bash42-053 + +Bug-Reported-by: Michal Zalewski +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +A combination of nested command substitutions and function importing from +the environment can cause bash to execute code appearing in the environment +variable value following the function definition. + +Patch (apply with `patch -p0'): + +*** ../bash-4.2.52/builtins/evalstring.c 2014-09-16 19:35:45.000000000 -0400 +--- builtins/evalstring.c 2014-10-04 15:00:26.000000000 -0400 +*************** +*** 262,271 **** + struct fd_bitmap *bitmap; + +! if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) + { +! internal_warning ("%s: ignoring function definition attempt", from_file); +! should_jump_to_top_level = 0; +! last_result = last_command_exit_value = EX_BADUSAGE; +! break; + } + +--- 262,284 ---- + struct fd_bitmap *bitmap; + +! if (flags & SEVAL_FUNCDEF) + { +! char *x; +! +! /* If the command parses to something other than a straight +! function definition, or if we have not consumed the entire +! string, or if the parser has transformed the function +! name (as parsing will if it begins or ends with shell +! whitespace, for example), reject the attempt */ +! if (command->type != cm_function_def || +! ((x = parser_remaining_input ()) && *x) || +! (STREQ (from_file, command->value.Function_def->name->word) == 0)) +! { +! internal_warning (_("%s: ignoring function definition attempt"), from_file); +! should_jump_to_top_level = 0; +! last_result = last_command_exit_value = EX_BADUSAGE; +! reset_parser (); +! break; +! } + } + +*************** +*** 332,336 **** + + if (flags & SEVAL_ONECMD) +! break; + } + } +--- 345,352 ---- + + if (flags & SEVAL_ONECMD) +! { +! reset_parser (); +! break; +! } + } + } +*** ../bash-4.2.52/parse.y 2014-09-30 19:24:19.000000000 -0400 +--- parse.y 2014-10-04 15:00:26.000000000 -0400 +*************** +*** 2436,2439 **** +--- 2436,2449 ---- + } + ++ char * ++ parser_remaining_input () ++ { ++ if (shell_input_line == 0) ++ return 0; ++ if (shell_input_line_index < 0 || shell_input_line_index >= shell_input_line_len) ++ return '\0'; /* XXX */ ++ return (shell_input_line + shell_input_line_index); ++ } ++ + #ifdef INCLUDE_UNUSED + /* Back the input pointer up by one, effectively `ungetting' a character. */ +*************** +*** 3891,3896 **** + /* reset_parser clears shell_input_line and associated variables */ + restore_input_line_state (&ls); +! if (interactive) +! token_to_read = 0; + + /* Need to find how many characters parse_and_execute consumed, update +--- 3901,3906 ---- + /* reset_parser clears shell_input_line and associated variables */ + restore_input_line_state (&ls); +! +! token_to_read = 0; + + /* Need to find how many characters parse_and_execute consumed, update +*** ../bash-4.2.52/shell.h 2011-11-21 18:03:32.000000000 -0500 +--- shell.h 2014-10-04 15:00:26.000000000 -0400 +*************** +*** 178,181 **** +--- 178,183 ---- + + /* Let's try declaring these here. */ ++ extern char *parser_remaining_input __P((void)); ++ + extern sh_parser_state_t *save_parser_state __P((sh_parser_state_t *)); + extern void restore_parser_state __P((sh_parser_state_t *)); diff --git a/SPECS/bash.spec b/SPECS/bash.spec index 34e9047..069a547 100644 --- a/SPECS/bash.spec +++ b/SPECS/bash.spec @@ -1,12 +1,12 @@ #% define beta_tag rc2 -%define patchleveltag .45 +%define patchleveltag .46 %define baseversion 4.2 %bcond_without tests Version: %{baseversion}%{patchleveltag} Name: bash Summary: The GNU Bourne Again shell -Release: 5%{?dist}.4 +Release: 12%{?dist} Group: System Environment/Shells License: GPLv3+ Url: http://www.gnu.org/software/bash @@ -65,6 +65,10 @@ Patch042: ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-042 Patch043: ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-043 Patch044: ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-044 Patch045: ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-045 +Patch046: ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-046 +#1175647 - shellshock related parser bugs +Patch052: ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-052 +Patch053: ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-053 # Other patches Patch101: bash-2.02-security.patch @@ -116,8 +120,26 @@ Patch125: bash-4.2-size_type.patch Patch126: bash-4.2-missing_closes.patch Patch127: bash-4.1-trap.patch -# 1141647 -Patch128: bash-4.2-env-inject.patch +# 1112709 - mention ulimit -c and -f POSIX block size +Patch128: bash-4.2-man-ulimit.patch + +# 1116301 - inhibit brace expansion in some cases +Patch129: bash-4.2-brace-expand.patch + +# 1102813 - fix bash visual mode +Patch130: bash-4.2-noecho.patch + +# 1126370 - provide a better description for some bash builtins +Patch131: bash-4.2-manpage.patch + +# 1126396 - prevent bash from hanging with certain history settings +Patch132: bash-4.2-history-hang.patch + +# 1126401 - properly document extglob behaviour +Patch133: bash-4.2-extglob-man.patch + +# 1141648 - properly document extglob behaviour +Patch134: bash-4.2-env-inject.patch # 1146324 - cve-2014-7169 @@ -198,6 +220,7 @@ This package contains documentation files for %{name}. %patch043 -p0 -b .043 %patch044 -p0 -b .044 %patch045 -p0 -b .045 +%patch046 -p0 -b .046 # Other patches %patch101 -p1 -b .security @@ -227,11 +250,18 @@ This package contains documentation files for %{name}. %patch125 -p1 -b .size_type %patch126 -p1 -b .missing_closes %patch127 -p1 -b .trap -%patch128 -p0 -b .inject +%patch128 -p1 -b .ulimit +%patch129 -p1 -b .expand +%patch130 -p1 -b .noecho +%patch131 -p1 -b .manpage +%patch132 -p1 -b .hang +%patch133 -p1 -b .man +%patch134 -p0 -b .inject %patch135 -p0 -b .7169-0 %patch136 -p0 -b .7169-1 %patch137 -p0 -b .7169-2 - +%patch052 -p0 -b .052 +%patch053 -p0 -b .053 echo %{version} > _distribution echo %{release} > _patchlevel @@ -424,21 +454,54 @@ end #%doc doc/*.ps doc/*.0 doc/*.html doc/article.txt %changelog -* Thu Sep 25 2014 Ondrej Oprala - 4.2.45-5.4 +* Sun Jan 11 2015 Ondrej Oprala - 4.2.46-12 +- Shellshock related parser bugs - patches + Related: #1175647 + +* Thu Jan 08 2015 Ondrej Oprala - 4.2.46-11 +- Shellshock related parser bugs (actually upstream patches 52 and 53) + Resolves: #1175647 + +* Fri Sep 26 2014 Michal Hlavinka - 4.2.46-10 - CVE-2014-7169 - Resolves: #1146324 + Resolves: #1146325 +- amend #1146324 patch to match upstream's + +* Mon Sep 15 2014 Ondrej Oprala - 4.2.46-9 +- fix-up the patch + Related: #1141648 + +* Mon Sep 15 2014 Ondrej Oprala - 4.2.46-8 +- check for fishy environment + Resolves: #1141648 + +* Mon Aug 04 2014 Ondrej Oprala - 4.2.46-7 +- Properly document extglob behaviour + Resolves: #1126401 + +* Mon Aug 04 2014 Ondrej Oprala - 4.2.46-6 +- Prevent bash from hanging with certain history settings + Resolves: #1126396 + +* Mon Aug 04 2014 Ondrej Oprala - 4.2.46-5 +- Document continue, break and suspend + Resolves: #1126370 + +* Wed Jul 24 2014 Ondrej Oprala - 4.2.45-5.3 -- amend patch to match upstream's - Related: #1146324 +* Tue Jul 22 2014 Ondrej Oprala - 4.2.45-5 - Mass rebuild 2014-01-24