diff --git a/lfs/bash b/lfs/bash index fd68e8805..dbee213c2 100644 --- a/lfs/bash +++ b/lfs/bash @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2025 IPFire Team # +# Copyright (C) 2007-2026 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -25,7 +25,7 @@ include Config VER = 5.3 -PATCHVER = 9 +PATCHVER = 15 THISAPP = bash-$(VER) DL_FILE = $(THISAPP).tar.gz diff --git a/src/patches/bash/bash53-010 b/src/patches/bash/bash53-010 new file mode 100644 index 000000000..3797675a0 --- /dev/null +++ b/src/patches/bash/bash53-010 @@ -0,0 +1,49 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 5.3 +Patch-ID: bash53-010 + +Bug-Reported-by: Aleksey Covacevice +Bug-Reference-ID: +Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2026-01/msg00003.html + +Bug-Description: + +Patch (apply with `patch -p0'): + +Under some circumstances, a subshell or asynchronous job with an active +EXIT trap that contains a call to `wait' can loop trying to wait for +processes that are not its children. It usually inherits these jobs from +its parent in the jobs list. + +*** ../bash-5.3-patched/jobs.c Fri Jul 25 08:53:22 2025 +--- jobs.c Fri Jan 9 10:21:03 2026 +*************** +*** 2840,2844 **** + ps->status = (r < 0 || r > 256) ? 127 : r; + } +! if (r == -1 && errno == ECHILD) + { + /* If we're mistaken about job state, compensate. */ +--- 2842,2846 ---- + ps->status = (r < 0 || r > 256) ? 127 : r; + } +! if ((r < 0 || r > 256) && errno == ECHILD) + { + /* If we're mistaken about job state, compensate. */ +*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400 +--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 9 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 10 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/src/patches/bash/bash53-011 b/src/patches/bash/bash53-011 new file mode 100644 index 000000000..5aa8b9222 --- /dev/null +++ b/src/patches/bash/bash53-011 @@ -0,0 +1,70 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 5.3 +Patch-ID: bash53-011 + +Bug-Reported-by: Philippe Grégoire +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +If a `mapfile' callback unsets the array variable `mapfile' is using to save +the lines it reads, `mapfile' can try to reference freed memory, which can +cause corruption or shell crashes. + +Patch (apply with `patch -p0'): + +*** ../bash-5.3-patched/builtins/mapfile.def Mon May 6 11:58:48 2024 +--- builtins/mapfile.def Mon May 25 16:23:50 2026 +*************** +*** 154,160 **** + unbuffered_read = 0; + +! /* The following check should be done before reading any lines. Doing it +! here allows us to call bind_array_element instead of bind_array_variable +! and skip the variable lookup on every call. */ + entry = builtin_find_indexed_array (array_name, flags & MAPF_CLEARARRAY); + if (entry == 0) +--- 154,158 ---- + unbuffered_read = 0; + +! /* The following check should be done before reading any lines. */ + entry = builtin_find_indexed_array (array_name, flags & MAPF_CLEARARRAY); + if (entry == 0) +*************** +*** 202,207 **** + } + +! /* XXX - bad things can happen if the callback modifies ENTRY, e.g., +! unsetting it or changing it to a non-indexed-array type. */ + bind_array_element (entry, array_index, line, 0); + +--- 200,210 ---- + } + +! /* Bad things can happen if the callback modifies ENTRY, e.g., +! unsetting it or changing it to a non-indexed-array type, so we +! look it up again every time we need to assign something */ +! entry = bind_array_variable (array_name, array_index, line, 0); +! if (entry == 0 || ASSIGN_DISALLOWED (entry, 0)) +! return EXECUTION_FAILURE; +! + bind_array_element (entry, array_index, line, 0); + +*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400 +--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 10 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 11 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/src/patches/bash/bash53-012 b/src/patches/bash/bash53-012 new file mode 100644 index 000000000..aac53bc72 --- /dev/null +++ b/src/patches/bash/bash53-012 @@ -0,0 +1,80 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 5.3 +Patch-ID: bash53-012 + +Bug-Reported-by: earl_chew@yahoo.com +Bug-Reference-ID: +Bug-Reference-URL: https://savannah.gnu.org/bugs/?67745 + +Bug-Description: + +If a subshell with an inherited EXIT trap receives a fatal signal before +it clears the exit trap, and before it restores its original signal +handlers, it's possible for it to inappropriately run the inherited EXIT +trap. + +Patch (apply with `patch -p0'): + +*** ../bash-5.3-patched/execute_cmd.c Thu Jun 5 11:02:01 2025 +--- execute_cmd.c Fri Jan 9 10:21:30 2026 +*************** +*** 1644,1648 **** + if (user_subshell) + { +! subshell_environment = SUBSHELL_PAREN; /* XXX */ + if (asynchronous) + subshell_environment |= SUBSHELL_ASYNC; +--- 1681,1685 ---- + if (user_subshell) + { +! subshell_environment = SUBSHELL_PAREN|SUBSHELL_IGNTRAP; /* XXX */ + if (asynchronous) + subshell_environment |= SUBSHELL_ASYNC; +*************** +*** 1650,1654 **** + else + { +! subshell_environment = 0; /* XXX */ + if (asynchronous) + subshell_environment |= SUBSHELL_ASYNC; +--- 1687,1691 ---- + else + { +! subshell_environment = SUBSHELL_IGNTRAP; /* XXX */ + if (asynchronous) + subshell_environment |= SUBSHELL_ASYNC; +*** ../bash-5.3-patched/sig.c Wed Dec 18 15:52:06 2024 +--- sig.c Fri Jan 9 10:21:43 2026 +*************** +*** 639,643 **** + comsub_ignore_return = return_catch_flag = wait_intr_flag = 0; + +! run_exit_trap (); /* XXX - run exit trap possibly in signal context? */ + + kill_shell (sig); +--- 645,652 ---- + comsub_ignore_return = return_catch_flag = wait_intr_flag = 0; + +! /* Don't run the exit trap if we're supposed to be ignoring traps in a +! subshell environment. */ +! if ((subshell_environment & SUBSHELL_IGNTRAP) == 0) +! run_exit_trap (); /* XXX - run exit trap possibly in signal context? */ + + kill_shell (sig); +*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400 +--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 11 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 12 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/src/patches/bash/bash53-013 b/src/patches/bash/bash53-013 new file mode 100644 index 000000000..16ff707c7 --- /dev/null +++ b/src/patches/bash/bash53-013 @@ -0,0 +1,54 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 5.3 +Patch-ID: bash53-013 + +Bug-Reported-by: Florian Schmaus +Bug-Reference-ID: +Bug-Reference-URL: https://savannah.gnu.org/bugs/?67586 + +Bug-Description: + +Comparing the value of a pointer returned from realloc/xrealloc to the +original pointer passed is technically undefined behavior, which matters +under some circumstances. + +Patch (apply with `patch -p0'): + +*** ../bash-5.3-patched/builtins/read.def Wed Jun 25 15:50:18 2025 +--- builtins/read.def Thu Nov 20 15:10:20 2025 +*************** +*** 789,794 **** + x = (char *)xrealloc (input_string, size += 128); + +! /* Only need to change unwind-protect if input_string changes */ + if (x != input_string) + { + input_string = x; +--- 816,824 ---- + x = (char *)xrealloc (input_string, size += 128); + +! #if 0 +! /* This is, in theory, undefined behavior, since input_string may +! have been freed. */ + if (x != input_string) ++ #endif + { + input_string = x; + +*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400 +--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 12 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 13 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/src/patches/bash/bash53-014 b/src/patches/bash/bash53-014 new file mode 100644 index 000000000..d52d34d29 --- /dev/null +++ b/src/patches/bash/bash53-014 @@ -0,0 +1,68 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 5.3 +Patch-ID: bash53-014 + +Bug-Reported-by: Grisha Levit +Bug-Reference-ID: +Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2026-06/msg00022.html + +Bug-Description: + +Bash-5.3 patch 11 included an inadvertent extra line, which this patch +removes. This also takes the opportunity to improve that patch, by looking +up the variable each time through the line-reading loop only if there is +a callback and it is invoked. + +Patch (apply with `patch -p0'): + +*** ../bash-5.3-patched/builtins/mapfile.def Sat Jun 6 13:31:02 2026 +--- builtins/mapfile.def Sat Jun 6 13:51:55 2026 +*************** +*** 198,211 **** + + run_callback (callback, array_index, line); +- } + +! /* Bad things can happen if the callback modifies ENTRY, e.g., +! unsetting it or changing it to a non-indexed-array type, so we +! look it up again every time we need to assign something */ +! entry = bind_array_variable (array_name, array_index, line, 0); +! if (entry == 0 || ASSIGN_DISALLOWED (entry, 0)) +! return EXECUTION_FAILURE; +! +! bind_array_element (entry, array_index, line, 0); + + /* Have we exceeded # of lines to store? */ +--- 198,211 ---- + + run_callback (callback, array_index, line); + +! /* Bad things can happen if the callback modifies ENTRY, e.g., +! unsetting it or changing it to a non-indexed-array type, so we +! look it up again every time we need to assign something */ +! entry = bind_array_variable (array_name, array_index, line, 0); +! if (entry == 0 || ASSIGN_DISALLOWED (entry, 0)) +! return EXECUTION_FAILURE; +! } +! else +! bind_array_element (entry, array_index, line, 0); + + /* Have we exceeded # of lines to store? */ + +*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400 +--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 13 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 14 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/src/patches/bash/bash53-015 b/src/patches/bash/bash53-015 new file mode 100644 index 000000000..861b3cac0 --- /dev/null +++ b/src/patches/bash/bash53-015 @@ -0,0 +1,79 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 5.3 +Patch-ID: bash53-015 + +Bug-Reported-by: Duncan Roe + Grisha Levit +Bug-Reference-ID: +Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2025-09/msg00162.html + https://lists.gnu.org/archive/html/bug-bash/2025-10/msg00013.html + +Bug-Description: + +There are circumstances under which index -1 is used to reference into +the input buffer used by the `read' builtin. + +Patch (apply with `patch -p0'): + +*** ../bash-5.3-patched/builtins/read.def Wed Jun 25 15:50:18 2025 +--- builtins/read.def Thu Nov 6 16:51:14 2025 +*************** +*** 539,543 **** + protects, then restore input_string so we can use it later */ + orig_input_string = 0; +! input_string[i] = '\0'; /* make sure it's terminated */ + if (i == 0) + { +--- 568,573 ---- + protects, then restore input_string so we can use it later */ + orig_input_string = 0; +! if (i >= 0) +! input_string[i] = '\0'; /* make sure it's terminated */ + if (i == 0) + { +*************** +*** 593,598 **** + + ttset = ttattrs; +! i = silent ? ttfd_cbreak (fd, &ttset) : ttfd_onechar (fd, &ttset); +! if (i < 0) + sh_ttyerror (1); + tty_modified = 1; +--- 623,627 ---- + + ttset = ttattrs; +! if ((silent ? ttfd_cbreak (fd, &ttset) : ttfd_onechar (fd, &ttset)) < 0) + sh_ttyerror (1); + tty_modified = 1; +*************** +*** 610,615 **** + + ttset = ttattrs; +! i = ttfd_noecho (fd, &ttset); /* ttnoecho (); */ +! if (i < 0) + sh_ttyerror (1); + +--- 639,643 ---- + + ttset = ttattrs; +! if (ttfd_noecho (fd, &ttset) < 0) + sh_ttyerror (1); + + +*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400 +--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 14 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 15 + + #endif /* _PATCHLEVEL_H_ */