void-packages/srcpkgs/bash/files/bash43-048

			     BASH PATCH REPORT
			     =================

Bash-Release:	4.3
Patch-ID:	bash43-048

Bug-Reported-by:	up201407890@alunos.dcc.fc.up.pt
Bug-Reference-ID:	<20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt>
Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2015-12/msg00054.html

Bug-Description:

If a malicious user can inject a value of $SHELLOPTS containing `xtrace'
and a value for $PS4 that includes a command substitution into a shell
running as root, bash will expand the command substitution as part of
expanding $PS4 when it executes a traced command.

Patch (apply with `patch -p0'):

*** ../bash-4.3-patched/variables.c	2015-11-26 12:31:21.000000000 -0500
--- variables.c	2015-12-23 10:19:01.000000000 -0500
***************
*** 496,500 ****
        set_if_not ("PS2", secondary_prompt);
      }
!   set_if_not ("PS4", "+ ");
  
    /* Don't allow IFS to be imported from the environment. */
--- 496,504 ----
        set_if_not ("PS2", secondary_prompt);
      }
! 
!   if (current_user.euid == 0)
!     bind_variable ("PS4", "+ ", 0);
!   else
!     set_if_not ("PS4", "+ ");
  
    /* Don't allow IFS to be imported from the environment. */

*** ../bash-4.3/patchlevel.h	2012-12-29 10:47:57.000000000 -0500
--- patchlevel.h	2014-03-20 20:01:28.000000000 -0400
***************
*** 26,30 ****
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 47
  
  #endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 48
  
  #endif /* _PATCHLEVEL_H_ */
bash: use local copy of patches Fetching the patches during the build is taking a lot of time, if - as in my case - the name resolution of ftp.gnu.org takes literally minutes with $XBPS_FETCH_CMD. If more patches for bash 4.3 are created, just add them to srcpkgs/bash/files and adjust _bash_patchlevel accordingly. 2017-01-17 16:37:45 +00:00			`BASH PATCH REPORT`
			`=================`

			`Bash-Release: 4.3`
			`Patch-ID: bash43-048`

			`Bug-Reported-by: up201407890@alunos.dcc.fc.up.pt`
			`Bug-Reference-ID: <20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt>`
			`Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2015-12/msg00054.html`

			`Bug-Description:`

			If a malicious user can inject a value of $SHELLOPTS containing `xtrace'
			`and a value for $PS4 that includes a command substitution into a shell`
			`running as root, bash will expand the command substitution as part of`
			`expanding $PS4 when it executes a traced command.`

			Patch (apply with `patch -p0'):

			`*** ../bash-4.3-patched/variables.c 2015-11-26 12:31:21.000000000 -0500`
			`--- variables.c 2015-12-23 10:19:01.000000000 -0500`
			`***************`
			`* 496,500 **`
			`set_if_not ("PS2", secondary_prompt);`
			`}`
			`! set_if_not ("PS4", "+ ");`

			`/* Don't allow IFS to be imported from the environment. */`
			`--- 496,504 ----`
			`set_if_not ("PS2", secondary_prompt);`
			`}`
			`!`
			`! if (current_user.euid == 0)`
			`! bind_variable ("PS4", "+ ", 0);`
			`! else`
			`! set_if_not ("PS4", "+ ");`

			`/* Don't allow IFS to be imported from the environment. */`

			`*** ../bash-4.3/patchlevel.h 2012-12-29 10:47:57.000000000 -0500`
			`--- patchlevel.h 2014-03-20 20:01:28.000000000 -0400`
			`***************`
			`* 26,30 **`
			`looks for to find the patch level (for the sccs version string). */`

			`! #define PATCHLEVEL 47`

			`#endif /* _PATCHLEVEL_H_ */`
			`--- 26,30 ----`
			`looks for to find the patch level (for the sccs version string). */`

			`! #define PATCHLEVEL 48`

			`#endif /* _PATCHLEVEL_H_ */`