@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2026 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -25,7 +25,7 @@
include Config
VER = 5.3
-PATCHVER = 9
+PATCHVER = 15
THISAPP = bash-$(VER)
DL_FILE = $(THISAPP).tar.gz
new file mode 100644
@@ -0,0 +1,49 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-010
+
+Bug-Reported-by: Aleksey Covacevice <aleksey.covacevice@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2026-01/msg00003.html
+
+Bug-Description:
+
+Patch (apply with `patch -p0'):
+
+Under some circumstances, a subshell or asynchronous job with an active
+EXIT trap that contains a call to `wait' can loop trying to wait for
+processes that are not its children. It usually inherits these jobs from
+its parent in the jobs list.
+
+*** ../bash-5.3-patched/jobs.c Fri Jul 25 08:53:22 2025
+--- jobs.c Fri Jan 9 10:21:03 2026
+***************
+*** 2840,2844 ****
+ ps->status = (r < 0 || r > 256) ? 127 : r;
+ }
+! if (r == -1 && errno == ECHILD)
+ {
+ /* If we're mistaken about job state, compensate. */
+--- 2842,2846 ----
+ ps->status = (r < 0 || r > 256) ? 127 : r;
+ }
+! if ((r < 0 || r > 256) && errno == ECHILD)
+ {
+ /* If we're mistaken about job state, compensate. */
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 9
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 10
+
+ #endif /* _PATCHLEVEL_H_ */
new file mode 100644
@@ -0,0 +1,70 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-011
+
+Bug-Reported-by: Philippe Grégoire <git@pgregoire.xyz>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+If a `mapfile' callback unsets the array variable `mapfile' is using to save
+the lines it reads, `mapfile' can try to reference freed memory, which can
+cause corruption or shell crashes.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-5.3-patched/builtins/mapfile.def Mon May 6 11:58:48 2024
+--- builtins/mapfile.def Mon May 25 16:23:50 2026
+***************
+*** 154,160 ****
+ unbuffered_read = 0;
+
+! /* The following check should be done before reading any lines. Doing it
+! here allows us to call bind_array_element instead of bind_array_variable
+! and skip the variable lookup on every call. */
+ entry = builtin_find_indexed_array (array_name, flags & MAPF_CLEARARRAY);
+ if (entry == 0)
+--- 154,158 ----
+ unbuffered_read = 0;
+
+! /* The following check should be done before reading any lines. */
+ entry = builtin_find_indexed_array (array_name, flags & MAPF_CLEARARRAY);
+ if (entry == 0)
+***************
+*** 202,207 ****
+ }
+
+! /* XXX - bad things can happen if the callback modifies ENTRY, e.g.,
+! unsetting it or changing it to a non-indexed-array type. */
+ bind_array_element (entry, array_index, line, 0);
+
+--- 200,210 ----
+ }
+
+! /* Bad things can happen if the callback modifies ENTRY, e.g.,
+! unsetting it or changing it to a non-indexed-array type, so we
+! look it up again every time we need to assign something */
+! entry = bind_array_variable (array_name, array_index, line, 0);
+! if (entry == 0 || ASSIGN_DISALLOWED (entry, 0))
+! return EXECUTION_FAILURE;
+!
+ bind_array_element (entry, array_index, line, 0);
+
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 10
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 11
+
+ #endif /* _PATCHLEVEL_H_ */
new file mode 100644
@@ -0,0 +1,80 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-012
+
+Bug-Reported-by: earl_chew@yahoo.com
+Bug-Reference-ID:
+Bug-Reference-URL: https://savannah.gnu.org/bugs/?67745
+
+Bug-Description:
+
+If a subshell with an inherited EXIT trap receives a fatal signal before
+it clears the exit trap, and before it restores its original signal
+handlers, it's possible for it to inappropriately run the inherited EXIT
+trap.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-5.3-patched/execute_cmd.c Thu Jun 5 11:02:01 2025
+--- execute_cmd.c Fri Jan 9 10:21:30 2026
+***************
+*** 1644,1648 ****
+ if (user_subshell)
+ {
+! subshell_environment = SUBSHELL_PAREN; /* XXX */
+ if (asynchronous)
+ subshell_environment |= SUBSHELL_ASYNC;
+--- 1681,1685 ----
+ if (user_subshell)
+ {
+! subshell_environment = SUBSHELL_PAREN|SUBSHELL_IGNTRAP; /* XXX */
+ if (asynchronous)
+ subshell_environment |= SUBSHELL_ASYNC;
+***************
+*** 1650,1654 ****
+ else
+ {
+! subshell_environment = 0; /* XXX */
+ if (asynchronous)
+ subshell_environment |= SUBSHELL_ASYNC;
+--- 1687,1691 ----
+ else
+ {
+! subshell_environment = SUBSHELL_IGNTRAP; /* XXX */
+ if (asynchronous)
+ subshell_environment |= SUBSHELL_ASYNC;
+*** ../bash-5.3-patched/sig.c Wed Dec 18 15:52:06 2024
+--- sig.c Fri Jan 9 10:21:43 2026
+***************
+*** 639,643 ****
+ comsub_ignore_return = return_catch_flag = wait_intr_flag = 0;
+
+! run_exit_trap (); /* XXX - run exit trap possibly in signal context? */
+
+ kill_shell (sig);
+--- 645,652 ----
+ comsub_ignore_return = return_catch_flag = wait_intr_flag = 0;
+
+! /* Don't run the exit trap if we're supposed to be ignoring traps in a
+! subshell environment. */
+! if ((subshell_environment & SUBSHELL_IGNTRAP) == 0)
+! run_exit_trap (); /* XXX - run exit trap possibly in signal context? */
+
+ kill_shell (sig);
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 11
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 12
+
+ #endif /* _PATCHLEVEL_H_ */
new file mode 100644
@@ -0,0 +1,54 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-013
+
+Bug-Reported-by: Florian Schmaus <flo@geekplace.eu>
+Bug-Reference-ID:
+Bug-Reference-URL: https://savannah.gnu.org/bugs/?67586
+
+Bug-Description:
+
+Comparing the value of a pointer returned from realloc/xrealloc to the
+original pointer passed is technically undefined behavior, which matters
+under some circumstances.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-5.3-patched/builtins/read.def Wed Jun 25 15:50:18 2025
+--- builtins/read.def Thu Nov 20 15:10:20 2025
+***************
+*** 789,794 ****
+ x = (char *)xrealloc (input_string, size += 128);
+
+! /* Only need to change unwind-protect if input_string changes */
+ if (x != input_string)
+ {
+ input_string = x;
+--- 816,824 ----
+ x = (char *)xrealloc (input_string, size += 128);
+
+! #if 0
+! /* This is, in theory, undefined behavior, since input_string may
+! have been freed. */
+ if (x != input_string)
++ #endif
+ {
+ input_string = x;
+
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 12
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 13
+
+ #endif /* _PATCHLEVEL_H_ */
new file mode 100644
@@ -0,0 +1,68 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-014
+
+Bug-Reported-by: Grisha Levit <grishalevit@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2026-06/msg00022.html
+
+Bug-Description:
+
+Bash-5.3 patch 11 included an inadvertent extra line, which this patch
+removes. This also takes the opportunity to improve that patch, by looking
+up the variable each time through the line-reading loop only if there is
+a callback and it is invoked.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-5.3-patched/builtins/mapfile.def Sat Jun 6 13:31:02 2026
+--- builtins/mapfile.def Sat Jun 6 13:51:55 2026
+***************
+*** 198,211 ****
+
+ run_callback (callback, array_index, line);
+- }
+
+! /* Bad things can happen if the callback modifies ENTRY, e.g.,
+! unsetting it or changing it to a non-indexed-array type, so we
+! look it up again every time we need to assign something */
+! entry = bind_array_variable (array_name, array_index, line, 0);
+! if (entry == 0 || ASSIGN_DISALLOWED (entry, 0))
+! return EXECUTION_FAILURE;
+!
+! bind_array_element (entry, array_index, line, 0);
+
+ /* Have we exceeded # of lines to store? */
+--- 198,211 ----
+
+ run_callback (callback, array_index, line);
+
+! /* Bad things can happen if the callback modifies ENTRY, e.g.,
+! unsetting it or changing it to a non-indexed-array type, so we
+! look it up again every time we need to assign something */
+! entry = bind_array_variable (array_name, array_index, line, 0);
+! if (entry == 0 || ASSIGN_DISALLOWED (entry, 0))
+! return EXECUTION_FAILURE;
+! }
+! else
+! bind_array_element (entry, array_index, line, 0);
+
+ /* Have we exceeded # of lines to store? */
+
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 13
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 14
+
+ #endif /* _PATCHLEVEL_H_ */
new file mode 100644
@@ -0,0 +1,79 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-015
+
+Bug-Reported-by: Duncan Roe <duncan_roe@optusnet.com.au>
+ Grisha Levit <grishalevit@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2025-09/msg00162.html
+ https://lists.gnu.org/archive/html/bug-bash/2025-10/msg00013.html
+
+Bug-Description:
+
+There are circumstances under which index -1 is used to reference into
+the input buffer used by the `read' builtin.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-5.3-patched/builtins/read.def Wed Jun 25 15:50:18 2025
+--- builtins/read.def Thu Nov 6 16:51:14 2025
+***************
+*** 539,543 ****
+ protects, then restore input_string so we can use it later */
+ orig_input_string = 0;
+! input_string[i] = '\0'; /* make sure it's terminated */
+ if (i == 0)
+ {
+--- 568,573 ----
+ protects, then restore input_string so we can use it later */
+ orig_input_string = 0;
+! if (i >= 0)
+! input_string[i] = '\0'; /* make sure it's terminated */
+ if (i == 0)
+ {
+***************
+*** 593,598 ****
+
+ ttset = ttattrs;
+! i = silent ? ttfd_cbreak (fd, &ttset) : ttfd_onechar (fd, &ttset);
+! if (i < 0)
+ sh_ttyerror (1);
+ tty_modified = 1;
+--- 623,627 ----
+
+ ttset = ttattrs;
+! if ((silent ? ttfd_cbreak (fd, &ttset) : ttfd_onechar (fd, &ttset)) < 0)
+ sh_ttyerror (1);
+ tty_modified = 1;
+***************
+*** 610,615 ****
+
+ ttset = ttattrs;
+! i = ttfd_noecho (fd, &ttset); /* ttnoecho (); */
+! if (i < 0)
+ sh_ttyerror (1);
+
+--- 639,643 ----
+
+ ttset = ttattrs;
+! if (ttfd_noecho (fd, &ttset) < 0)
+ sh_ttyerror (1);
+
+
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 14
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 15
+
+ #endif /* _PATCHLEVEL_H_ */