From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH] bash: Update to version 5.3 patch 15
Date: Wed, 10 Jun 2026 21:01:47 +0200 [thread overview]
Message-ID: <20260610190208.3662425-2-adolf.belka@ipfire.org> (raw)
In-Reply-To: <20260610190208.3662425-1-adolf.belka@ipfire.org>
- Update from version 5.3 patch 9 to 5.3 patch 15
- No change in rootfile
- Changelog
patch 10
Under some circumstances, a subshell or asynchronous job with an active
EXIT trap that contains a call to `wait' can loop trying to wait for
processes that are not its children. It usually inherits these jobs from
its parent in the jobs list.
patch 11
If a `mapfile' callback unsets the array variable `mapfile' is using to save
the lines it reads, `mapfile' can try to reference freed memory, which can
cause corruption or shell crashes.
patch 12
If a subshell with an inherited EXIT trap receives a fatal signal before
it clears the exit trap, and before it restores its original signal
handlers, it's possible for it to inappropriately run the inherited EXIT
trap.
patch 13
Comparing the value of a pointer returned from realloc/xrealloc to the
original pointer passed is technically undefined behavior, which matters
under some circumstances.
patch 14
Bash-5.3 patch 11 included an inadvertent extra line, which this patch
removes. This also takes the opportunity to improve that patch, by looking
up the variable each time through the line-reading loop only if there is
a callback and it is invoked.
patch 15
There are circumstances under which index -1 is used to reference into
the input buffer used by the `read' builtin.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
lfs/bash | 4 +-
src/patches/bash/bash53-010 | 49 +++++++++++++++++++++++
src/patches/bash/bash53-011 | 70 ++++++++++++++++++++++++++++++++
src/patches/bash/bash53-012 | 80 +++++++++++++++++++++++++++++++++++++
src/patches/bash/bash53-013 | 54 +++++++++++++++++++++++++
src/patches/bash/bash53-014 | 68 +++++++++++++++++++++++++++++++
src/patches/bash/bash53-015 | 79 ++++++++++++++++++++++++++++++++++++
7 files changed, 402 insertions(+), 2 deletions(-)
create mode 100644 src/patches/bash/bash53-010
create mode 100644 src/patches/bash/bash53-011
create mode 100644 src/patches/bash/bash53-012
create mode 100644 src/patches/bash/bash53-013
create mode 100644 src/patches/bash/bash53-014
create mode 100644 src/patches/bash/bash53-015
diff --git a/lfs/bash b/lfs/bash
index fd68e8805..dbee213c2 100644
--- a/lfs/bash
+++ b/lfs/bash
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2026 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -25,7 +25,7 @@
include Config
VER = 5.3
-PATCHVER = 9
+PATCHVER = 15
THISAPP = bash-$(VER)
DL_FILE = $(THISAPP).tar.gz
diff --git a/src/patches/bash/bash53-010 b/src/patches/bash/bash53-010
new file mode 100644
index 000000000..3797675a0
--- /dev/null
+++ b/src/patches/bash/bash53-010
@@ -0,0 +1,49 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-010
+
+Bug-Reported-by: Aleksey Covacevice <aleksey.covacevice@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2026-01/msg00003.html
+
+Bug-Description:
+
+Patch (apply with `patch -p0'):
+
+Under some circumstances, a subshell or asynchronous job with an active
+EXIT trap that contains a call to `wait' can loop trying to wait for
+processes that are not its children. It usually inherits these jobs from
+its parent in the jobs list.
+
+*** ../bash-5.3-patched/jobs.c Fri Jul 25 08:53:22 2025
+--- jobs.c Fri Jan 9 10:21:03 2026
+***************
+*** 2840,2844 ****
+ ps->status = (r < 0 || r > 256) ? 127 : r;
+ }
+! if (r == -1 && errno == ECHILD)
+ {
+ /* If we're mistaken about job state, compensate. */
+--- 2842,2846 ----
+ ps->status = (r < 0 || r > 256) ? 127 : r;
+ }
+! if ((r < 0 || r > 256) && errno == ECHILD)
+ {
+ /* If we're mistaken about job state, compensate. */
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 9
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 10
+
+ #endif /* _PATCHLEVEL_H_ */
diff --git a/src/patches/bash/bash53-011 b/src/patches/bash/bash53-011
new file mode 100644
index 000000000..5aa8b9222
--- /dev/null
+++ b/src/patches/bash/bash53-011
@@ -0,0 +1,70 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-011
+
+Bug-Reported-by: Philippe Grégoire <git@pgregoire.xyz>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+If a `mapfile' callback unsets the array variable `mapfile' is using to save
+the lines it reads, `mapfile' can try to reference freed memory, which can
+cause corruption or shell crashes.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-5.3-patched/builtins/mapfile.def Mon May 6 11:58:48 2024
+--- builtins/mapfile.def Mon May 25 16:23:50 2026
+***************
+*** 154,160 ****
+ unbuffered_read = 0;
+
+! /* The following check should be done before reading any lines. Doing it
+! here allows us to call bind_array_element instead of bind_array_variable
+! and skip the variable lookup on every call. */
+ entry = builtin_find_indexed_array (array_name, flags & MAPF_CLEARARRAY);
+ if (entry == 0)
+--- 154,158 ----
+ unbuffered_read = 0;
+
+! /* The following check should be done before reading any lines. */
+ entry = builtin_find_indexed_array (array_name, flags & MAPF_CLEARARRAY);
+ if (entry == 0)
+***************
+*** 202,207 ****
+ }
+
+! /* XXX - bad things can happen if the callback modifies ENTRY, e.g.,
+! unsetting it or changing it to a non-indexed-array type. */
+ bind_array_element (entry, array_index, line, 0);
+
+--- 200,210 ----
+ }
+
+! /* Bad things can happen if the callback modifies ENTRY, e.g.,
+! unsetting it or changing it to a non-indexed-array type, so we
+! look it up again every time we need to assign something */
+! entry = bind_array_variable (array_name, array_index, line, 0);
+! if (entry == 0 || ASSIGN_DISALLOWED (entry, 0))
+! return EXECUTION_FAILURE;
+!
+ bind_array_element (entry, array_index, line, 0);
+
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 10
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 11
+
+ #endif /* _PATCHLEVEL_H_ */
diff --git a/src/patches/bash/bash53-012 b/src/patches/bash/bash53-012
new file mode 100644
index 000000000..aac53bc72
--- /dev/null
+++ b/src/patches/bash/bash53-012
@@ -0,0 +1,80 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-012
+
+Bug-Reported-by: earl_chew@yahoo.com
+Bug-Reference-ID:
+Bug-Reference-URL: https://savannah.gnu.org/bugs/?67745
+
+Bug-Description:
+
+If a subshell with an inherited EXIT trap receives a fatal signal before
+it clears the exit trap, and before it restores its original signal
+handlers, it's possible for it to inappropriately run the inherited EXIT
+trap.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-5.3-patched/execute_cmd.c Thu Jun 5 11:02:01 2025
+--- execute_cmd.c Fri Jan 9 10:21:30 2026
+***************
+*** 1644,1648 ****
+ if (user_subshell)
+ {
+! subshell_environment = SUBSHELL_PAREN; /* XXX */
+ if (asynchronous)
+ subshell_environment |= SUBSHELL_ASYNC;
+--- 1681,1685 ----
+ if (user_subshell)
+ {
+! subshell_environment = SUBSHELL_PAREN|SUBSHELL_IGNTRAP; /* XXX */
+ if (asynchronous)
+ subshell_environment |= SUBSHELL_ASYNC;
+***************
+*** 1650,1654 ****
+ else
+ {
+! subshell_environment = 0; /* XXX */
+ if (asynchronous)
+ subshell_environment |= SUBSHELL_ASYNC;
+--- 1687,1691 ----
+ else
+ {
+! subshell_environment = SUBSHELL_IGNTRAP; /* XXX */
+ if (asynchronous)
+ subshell_environment |= SUBSHELL_ASYNC;
+*** ../bash-5.3-patched/sig.c Wed Dec 18 15:52:06 2024
+--- sig.c Fri Jan 9 10:21:43 2026
+***************
+*** 639,643 ****
+ comsub_ignore_return = return_catch_flag = wait_intr_flag = 0;
+
+! run_exit_trap (); /* XXX - run exit trap possibly in signal context? */
+
+ kill_shell (sig);
+--- 645,652 ----
+ comsub_ignore_return = return_catch_flag = wait_intr_flag = 0;
+
+! /* Don't run the exit trap if we're supposed to be ignoring traps in a
+! subshell environment. */
+! if ((subshell_environment & SUBSHELL_IGNTRAP) == 0)
+! run_exit_trap (); /* XXX - run exit trap possibly in signal context? */
+
+ kill_shell (sig);
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 11
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 12
+
+ #endif /* _PATCHLEVEL_H_ */
diff --git a/src/patches/bash/bash53-013 b/src/patches/bash/bash53-013
new file mode 100644
index 000000000..16ff707c7
--- /dev/null
+++ b/src/patches/bash/bash53-013
@@ -0,0 +1,54 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-013
+
+Bug-Reported-by: Florian Schmaus <flo@geekplace.eu>
+Bug-Reference-ID:
+Bug-Reference-URL: https://savannah.gnu.org/bugs/?67586
+
+Bug-Description:
+
+Comparing the value of a pointer returned from realloc/xrealloc to the
+original pointer passed is technically undefined behavior, which matters
+under some circumstances.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-5.3-patched/builtins/read.def Wed Jun 25 15:50:18 2025
+--- builtins/read.def Thu Nov 20 15:10:20 2025
+***************
+*** 789,794 ****
+ x = (char *)xrealloc (input_string, size += 128);
+
+! /* Only need to change unwind-protect if input_string changes */
+ if (x != input_string)
+ {
+ input_string = x;
+--- 816,824 ----
+ x = (char *)xrealloc (input_string, size += 128);
+
+! #if 0
+! /* This is, in theory, undefined behavior, since input_string may
+! have been freed. */
+ if (x != input_string)
++ #endif
+ {
+ input_string = x;
+
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 12
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 13
+
+ #endif /* _PATCHLEVEL_H_ */
diff --git a/src/patches/bash/bash53-014 b/src/patches/bash/bash53-014
new file mode 100644
index 000000000..d52d34d29
--- /dev/null
+++ b/src/patches/bash/bash53-014
@@ -0,0 +1,68 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-014
+
+Bug-Reported-by: Grisha Levit <grishalevit@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2026-06/msg00022.html
+
+Bug-Description:
+
+Bash-5.3 patch 11 included an inadvertent extra line, which this patch
+removes. This also takes the opportunity to improve that patch, by looking
+up the variable each time through the line-reading loop only if there is
+a callback and it is invoked.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-5.3-patched/builtins/mapfile.def Sat Jun 6 13:31:02 2026
+--- builtins/mapfile.def Sat Jun 6 13:51:55 2026
+***************
+*** 198,211 ****
+
+ run_callback (callback, array_index, line);
+- }
+
+! /* Bad things can happen if the callback modifies ENTRY, e.g.,
+! unsetting it or changing it to a non-indexed-array type, so we
+! look it up again every time we need to assign something */
+! entry = bind_array_variable (array_name, array_index, line, 0);
+! if (entry == 0 || ASSIGN_DISALLOWED (entry, 0))
+! return EXECUTION_FAILURE;
+!
+! bind_array_element (entry, array_index, line, 0);
+
+ /* Have we exceeded # of lines to store? */
+--- 198,211 ----
+
+ run_callback (callback, array_index, line);
+
+! /* Bad things can happen if the callback modifies ENTRY, e.g.,
+! unsetting it or changing it to a non-indexed-array type, so we
+! look it up again every time we need to assign something */
+! entry = bind_array_variable (array_name, array_index, line, 0);
+! if (entry == 0 || ASSIGN_DISALLOWED (entry, 0))
+! return EXECUTION_FAILURE;
+! }
+! else
+! bind_array_element (entry, array_index, line, 0);
+
+ /* Have we exceeded # of lines to store? */
+
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 13
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 14
+
+ #endif /* _PATCHLEVEL_H_ */
diff --git a/src/patches/bash/bash53-015 b/src/patches/bash/bash53-015
new file mode 100644
index 000000000..861b3cac0
--- /dev/null
+++ b/src/patches/bash/bash53-015
@@ -0,0 +1,79 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-015
+
+Bug-Reported-by: Duncan Roe <duncan_roe@optusnet.com.au>
+ Grisha Levit <grishalevit@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2025-09/msg00162.html
+ https://lists.gnu.org/archive/html/bug-bash/2025-10/msg00013.html
+
+Bug-Description:
+
+There are circumstances under which index -1 is used to reference into
+the input buffer used by the `read' builtin.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-5.3-patched/builtins/read.def Wed Jun 25 15:50:18 2025
+--- builtins/read.def Thu Nov 6 16:51:14 2025
+***************
+*** 539,543 ****
+ protects, then restore input_string so we can use it later */
+ orig_input_string = 0;
+! input_string[i] = '\0'; /* make sure it's terminated */
+ if (i == 0)
+ {
+--- 568,573 ----
+ protects, then restore input_string so we can use it later */
+ orig_input_string = 0;
+! if (i >= 0)
+! input_string[i] = '\0'; /* make sure it's terminated */
+ if (i == 0)
+ {
+***************
+*** 593,598 ****
+
+ ttset = ttattrs;
+! i = silent ? ttfd_cbreak (fd, &ttset) : ttfd_onechar (fd, &ttset);
+! if (i < 0)
+ sh_ttyerror (1);
+ tty_modified = 1;
+--- 623,627 ----
+
+ ttset = ttattrs;
+! if ((silent ? ttfd_cbreak (fd, &ttset) : ttfd_onechar (fd, &ttset)) < 0)
+ sh_ttyerror (1);
+ tty_modified = 1;
+***************
+*** 610,615 ****
+
+ ttset = ttattrs;
+! i = ttfd_noecho (fd, &ttset); /* ttnoecho (); */
+! if (i < 0)
+ sh_ttyerror (1);
+
+--- 639,643 ----
+
+ ttset = ttattrs;
+! if (ttfd_noecho (fd, &ttset) < 0)
+ sh_ttyerror (1);
+
+
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 14
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 15
+
+ #endif /* _PATCHLEVEL_H_ */
--
2.54.0
next prev parent reply other threads:[~2026-06-10 19:02 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 19:01 [PATCH] alsa: Update to version 1.2.16 Adolf Belka
2026-06-10 19:01 ` Adolf Belka [this message]
2026-06-10 19:01 ` [PATCH] core204: Ship bash Adolf Belka
2026-06-10 19:01 ` [PATCH] core204: Ship harfbuzz Adolf Belka
2026-06-10 19:01 ` [PATCH] core204: Ship hwdata Adolf Belka
2026-06-10 19:01 ` [PATCH] core204: Ship kbd Adolf Belka
2026-06-10 19:01 ` [PATCH] core204: Ship less Adolf Belka
2026-06-10 19:01 ` [PATCH] core204: Ship sqlite Adolf Belka
2026-06-10 19:01 ` [PATCH] core204: Ship wireless-regdb Adolf Belka
2026-06-10 19:01 ` [PATCH] harfbuzz: Update to version 14.2.1 Adolf Belka
2026-06-10 19:01 ` [PATCH] hwdata: Update to version 0.408 Adolf Belka
2026-06-10 19:01 ` [PATCH] kbd: Update to version 2.10.0 Adolf Belka
2026-06-10 19:01 ` [PATCH] less; Update to version 704 Adolf Belka
2026-06-10 19:01 ` [PATCH] sqlite: Update to version 3530200 Adolf Belka
2026-06-10 19:02 ` [PATCH] wireless-regdb: Update to version 2026.05.30 Adolf Belka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260610190208.3662425-2-adolf.belka@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox