diff --git a/SOURCES/bash-4.2-leak-compound.patch b/SOURCES/bash-4.2-leak-compound.patch
new file mode 100644
index 0000000..a249084
--- /dev/null
+++ b/SOURCES/bash-4.2-leak-compound.patch
@@ -0,0 +1,12 @@
+diff -up bash-4.2/subst.c.old bash-4.2/subst.c
+--- bash-4.2/subst.c.old 2015-12-09 13:24:47.369738319 +0100
++++ bash-4.2/subst.c 2015-12-09 13:28:27.366024824 +0100
+@@ -2713,6 +2713,8 @@ do_compound_assignment (name, value, fla
+ else if (v == 0 || (array_p (v) == 0 && assoc_p (v) == 0) || v->context != variable_context)
+ v = make_local_array_variable (name);
+ assign_compound_array_list (v, list, flags);
++ if (list)
++ dispose_words (list);
+ }
+ else
+ v = assign_array_from_string (name, value, flags);
diff --git a/SOURCES/bash-4.2-missing-opt-cd.patch b/SOURCES/bash-4.2-missing-opt-cd.patch
new file mode 100644
index 0000000..5cf27cc
--- /dev/null
+++ b/SOURCES/bash-4.2-missing-opt-cd.patch
@@ -0,0 +1,12 @@
+diff -up bash-4.2/builtins/cd.def.old bash-4.2/builtins/cd.def
+--- bash-4.2/builtins/cd.def.old 2015-12-09 11:47:59.113106805 +0100
++++ bash-4.2/builtins/cd.def 2015-12-09 11:48:13.702060840 +0100
+@@ -200,7 +200,7 @@ cd_builtin (list)
+ eflag = 0;
+ no_symlinks = no_symbolic_links;
+ reset_internal_getopt ();
+- while ((opt = internal_getopt (list, "LP")) != -1)
++ while ((opt = internal_getopt (list, "LPe")) != -1)
+ {
+ switch (opt)
+ {
diff --git a/SOURCES/bash-4.3-cve-2016-0634.patch b/SOURCES/bash-4.3-cve-2016-0634.patch
new file mode 100644
index 0000000..21b821c
--- /dev/null
+++ b/SOURCES/bash-4.3-cve-2016-0634.patch
@@ -0,0 +1,95 @@
+diff --git a/parse.y b/parse.y
+index 12d6def..d4a93a2 100644
+--- a/parse.y
++++ b/parse.y
+@@ -5103,7 +5103,7 @@ decode_prompt_string (string)
+ size_t result_size;
+ int result_index;
+ int c, n, i;
+- char *temp, octal_string[4];
++ char *temp, *t_host, octal_string[4];
+ struct tm *tm;
+ time_t the_time;
+ char timebuf[128];
+@@ -5251,7 +5251,11 @@ decode_prompt_string (string)
+
+ case 's':
+ temp = base_pathname (shell_name);
+- temp = savestring (temp);
++ /* Try to quote anything the user can set in the file system */
++ if (promptvars || posixly_correct)
++ temp = sh_backslash_quote_for_double_quotes (temp);
++ else
++ temp = savestring (temp);
+ goto add_string;
+
+ case 'v':
+@@ -5337,9 +5341,17 @@ decode_prompt_string (string)
+
+ case 'h':
+ case 'H':
+- temp = savestring (current_host_name);
+- if (c == 'h' && (t = (char *)strchr (temp, '.')))
++ t_host = savestring (current_host_name);
++ if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+ *t = '\0';
++ if (promptvars || posixly_correct)
++ /* Make sure that expand_prompt_string is called with a
++ second argument of Q_DOUBLE_QUOTES if we use this
++ function here. */
++ temp = sh_backslash_quote_for_double_quotes (t_host);
++ else
++ temp = savestring (t_host);
++ free (t_host);
+ goto add_string;
+
+ case '#':
+diff --git a/y.tab.c b/y.tab.c
+index 23b88bc..1c0f5a1 100644
+--- a/y.tab.c
++++ b/y.tab.c
+@@ -7368,7 +7368,7 @@ decode_prompt_string (string)
+ size_t result_size;
+ int result_index;
+ int c, n, i;
+- char *temp, octal_string[4];
++ char *temp, *t_host, octal_string[4];
+ struct tm *tm;
+ time_t the_time;
+ char timebuf[128];
+@@ -7513,7 +7513,11 @@ decode_prompt_string (string)
+
+ case 's':
+ temp = base_pathname (shell_name);
+- temp = savestring (temp);
++ /* Try to quote anything the user can set in the file system */
++ if (promptvars || posixly_correct)
++ temp = sh_backslash_quote_for_double_quotes (temp);
++ else
++ temp = savestring (temp);
+ goto add_string;
+
+ case 'v':
+@@ -7599,9 +7603,17 @@ decode_prompt_string (string)
+
+ case 'h':
+ case 'H':
+- temp = savestring (current_host_name);
+- if (c == 'h' && (t = (char *)strchr (temp, '.')))
++ t_host = savestring (current_host_name);
++ if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+ *t = '\0';
++ if (promptvars || posixly_correct)
++ /* Make sure that expand_prompt_string is called with a
++ second argument of Q_DOUBLE_QUOTES if we use this
++ function here. */
++ temp = sh_backslash_quote_for_double_quotes (t_host);
++ else
++ temp = savestring (t_host);
++ free (t_host);
+ goto add_string;
+
+ case '#':
+--
+2.9.3
+
diff --git a/SOURCES/bash-4.3-cve-2016-7543.patch b/SOURCES/bash-4.3-cve-2016-7543.patch
new file mode 100644
index 0000000..81ee471
--- /dev/null
+++ b/SOURCES/bash-4.3-cve-2016-7543.patch
@@ -0,0 +1,20 @@
+diff --git a/variables.c b/variables.c
+index b7ebaea..5e2986f 100644
+--- a/variables.c
++++ b/variables.c
+@@ -467,7 +467,11 @@ initialize_shell_variables (env, privmode)
+ #endif
+ set_if_not ("PS2", secondary_prompt);
+ }
+- set_if_not ("PS4", "+ ");
++
++ if (current_user.euid == 0)
++ bind_variable ("PS4", "+ ", 0);
++ else
++ set_if_not ("PS4", "+ ");
+
+ /* Don't allow IFS to be imported from the environment. */
+ temp_var = bind_variable ("IFS", " \t\n", 0);
+--
+2.9.3
+
diff --git a/SOURCES/bash-4.4-param-expansion.patch b/SOURCES/bash-4.4-param-expansion.patch
new file mode 100644
index 0000000..555477f
--- /dev/null
+++ b/SOURCES/bash-4.4-param-expansion.patch
@@ -0,0 +1,73 @@
+diff --git a/parse.y b/parse.y
+index 9a78d0c..7df7d99 100644
+--- a/parse.y
++++ b/parse.y
+@@ -4993,7 +4993,8 @@ decode_prompt_string (string)
+ struct dstack save_dstack;
+ int last_exit_value, last_comsub_pid;
+ #if defined (PROMPT_STRING_DECODE)
+- int result_size, result_index;
++ size_t result_size;
++ int result_index;
+ int c, n, i;
+ char *temp, octal_string[4];
+ struct tm *tm;
+diff --git a/subst.c b/subst.c
+index 9f15f0b..e5ffd03 100644
+--- a/subst.c
++++ b/subst.c
+@@ -644,11 +644,13 @@ unquoted_substring (substr, string)
+ INLINE char *
+ sub_append_string (source, target, indx, size)
+ char *source, *target;
+- int *indx, *size;
++ int *indx;
++ size_t *size;
+ {
+ if (source)
+ {
+- int srclen, n;
++ int n;
++ size_t srclen;
+
+ srclen = STRLEN (source);
+ if (srclen >= (int)(*size - *indx))
+@@ -7676,7 +7678,7 @@ expand_word_internal (word, quoted, isexp, contains_dollar_at, expanded_somethin
+ char *istring;
+
+ /* The current size of the above object. */
+- int istring_size;
++ size_t istring_size;
+
+ /* Index into ISTRING. */
+ int istring_index;
+diff --git a/subst.h b/subst.h
+index b06e8c2..fc66faf 100644
+--- a/subst.h
++++ b/subst.h
+@@ -127,7 +127,7 @@ extern int do_word_assignment __P((WORD_DESC *));
+ of space allocated to TARGET. SOURCE can be NULL, in which
+ case nothing happens. Gets rid of SOURCE by free ()ing it.
+ Returns TARGET in case the location has changed. */
+-extern char *sub_append_string __P((char *, char *, int *, int *));
++extern char *sub_append_string __P((char *, char *, int *, size_t *));
+
+ /* Append the textual representation of NUMBER to TARGET.
+ INDEX and SIZE are as in SUB_APPEND_STRING. */
+diff --git a/y.tab.c b/y.tab.c
+index d702554..31faa4a 100644
+--- a/y.tab.c
++++ b/y.tab.c
+@@ -7280,7 +7280,8 @@ decode_prompt_string (string)
+ struct dstack save_dstack;
+ int last_exit_value, last_comsub_pid;
+ #if defined (PROMPT_STRING_DECODE)
+- int result_size, result_index;
++ size_t result_size;
++ int result_index;
+ int c, n, i;
+ char *temp, octal_string[4];
+ struct tm *tm;
+--
+2.5.5
+
diff --git a/SOURCES/bash-4.4-pipeline-pgrp.patch b/SOURCES/bash-4.4-pipeline-pgrp.patch
new file mode 100644
index 0000000..860cd1b
--- /dev/null
+++ b/SOURCES/bash-4.4-pipeline-pgrp.patch
@@ -0,0 +1,17 @@
+diff --git a/subst.c b/subst.c
+index 1dbfb5e..049962e 100644
+--- a/subst.c
++++ b/subst.c
+@@ -5011,7 +5011,8 @@ process_substitute (string, open_for_read_in_child)
+
+ #if defined (JOB_CONTROL)
+ old_pipeline_pgrp = pipeline_pgrp;
+- pipeline_pgrp = shell_pgrp;
++ if (pipeline_pgrp == 0 || (subshell_environment & (SUBSHELL_PIPE|SUBSHELL_FORK|SUBSHELL_ASYNC)) == 0)
++ pipeline_pgrp = shell_pgrp;
+ save_pipeline (1);
+ #endif /* JOB_CONTROL */
+
+--
+2.9.3
+
diff --git a/SOURCES/bash-cve-2016-9401.patch b/SOURCES/bash-cve-2016-9401.patch
new file mode 100644
index 0000000..69eb9d7
--- /dev/null
+++ b/SOURCES/bash-cve-2016-9401.patch
@@ -0,0 +1,28 @@
+diff --git a/builtins/pushd.def b/builtins/pushd.def
+index 05b7529..4eb0132 100644
+--- a/builtins/pushd.def
++++ b/builtins/pushd.def
+@@ -353,7 +353,7 @@ popd_builtin (list)
+ break;
+ }
+
+- if (which > directory_list_offset || (directory_list_offset == 0 && which == 0))
++ if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0))
+ {
+ pushd_error (directory_list_offset, which_word ? which_word : "");
+ return (EXECUTION_FAILURE);
+@@ -375,6 +375,11 @@ popd_builtin (list)
+ remove that directory from the list and shift the remainder
+ of the list into place. */
+ i = (direction == '+') ? directory_list_offset - which : which;
++ if (i < 0 || i > directory_list_offset)
++ {
++ pushd_error (directory_list_offset, which_word ? which_word : "");
++ return (EXECUTION_FAILURE);
++ }
+ free (pushd_directory_list[i]);
+ directory_list_offset--;
+
+--
+2.9.3
+
diff --git a/SPECS/bash.spec b/SPECS/bash.spec
index 922b2b6..8629605 100644
--- a/SPECS/bash.spec
+++ b/SPECS/bash.spec
@@ -6,7 +6,7 @@
Version: %{baseversion}%{patchleveltag}
Name: bash
Summary: The GNU Bourne Again shell
-Release: 21%{?dist}
+Release: 28%{?dist}
Group: System Environment/Shells
License: GPLv3+
Url: http://www.gnu.org/software/bash
@@ -165,9 +165,30 @@ Patch142: bash-4.2-enable-hyphened-fn-export.patch
#1326302
Patch143: fix-shopt-lastpipe-mode-crash.patch
-#1384521
+#1372806
Patch144: bash-4.3-trapped-signals.patch
+#1403255
+Patch145: bash-4.4-param-expansion.patch
+
+#1377496
+Patch146: bash-4.4-pipeline-pgrp.patch
+
+#1267478
+Patch147: bash-4.2-missing-opt-cd.patch
+
+#1264101 - Plug a leak related to compound assignments
+Patch148: bash-4.2-leak-compound.patch
+
+#1379237
+Patch149: bash-4.3-cve-2016-0634.patch
+
+#1426026
+Patch150: bash-4.3-cve-2016-7543.patch
+
+#1429838
+Patch151: bash-cve-2016-9401.patch
+
BuildRequires: texinfo bison
BuildRequires: ncurses-devel
BuildRequires: autoconf, gettext
@@ -290,6 +311,13 @@ This package contains documentation files for %{name}.
%patch142 -p0 -b .export
%patch143 -p1 -b .fix-shopt-lastpipe-mode
%patch144 -p1 -b .trapped-signals
+%patch145 -p1 -b .param-expansion
+%patch146 -p1 -b .pipeline-pgrp
+%patch147 -p1 -b .cd-e
+%patch148 -p1 -b .leak-compound
+%patch149 -p1 -b .cve-2016-0634
+%patch150 -p1 -b .cve-2016-7543
+%patch151 -p1 -b .cve-2016-9401
echo %{version} > _distribution
echo %{release} > _patchlevel
@@ -482,9 +510,37 @@ end
#%doc doc/*.ps doc/*.0 doc/*.html doc/article.txt
%changelog
+* Tue Mar 07 2017 Kamil Dudka <kdudka@redhat.com - 4.2.46-28
+- CVE-2016-9401 - Fix crash when '-' is passed as second sign to popd
+ Resolves: #1429838
+
+* Fri Feb 24 2017 Kamil Dudka <kdudka@redhat.com - 4.2.46-27
+- CVE-2016-7543: Fix for arbitrary code execution via SHELLOPTS+PS4 variables
+ Resolves: #1426026
+
+* Thu Feb 09 2017 Siteshwar Vashisht <svashisht@redhat.com> - 4.2.46-26
+- CVE-2016-0634: Fix for arbitrary code execution via malicious hostname
+ Resolves: #1379237
+
+* Thu Feb 09 2017 Siteshwar Vashisht <svashisht@redhat.com> - 4.2.46-25
+- Plug a leak related to compound assignments
+ Resolves: #1264101
+
+* Thu Feb 09 2017 Siteshwar Vashisht <svashisht@redhat.com> - 4.2.46-24
+- Recognize cd -e
+ Resolves: #1267478
+
+* Thu Feb 09 2017 Siteshwar Vashisht <svashisht@redhat.com> - 4.2.46-23
+- Add a condition before setting pipeline_pgrp to shell_pgrp
+ Resolves: #1377496
+
+* Thu Feb 09 2017 Siteshwar Vashisht <svashisht@redhat.com> - 4.2.46-22
+- Avoid crash in parameter expansion while expanding long strings
+ Resolves: #1403255
+
* Wed Oct 12 2016 Siteshwar Vashisht <svashisht@redhat.com> - 4.2.46-21
- Fix a crash in trap signal handling
- Resolves: #1384521
+ Resolves: #1372806
* Tue Jul 12 2016 Siteshwar Vashisht <svashisht@redhat.com> - 4.2.46-20
- Fix a crash when lastpipe mode is enabled