From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4gbFWs0pznz34Jx for ; Wed, 10 Jun 2026 19:02:17 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4gbFWn4f1lz336v for ; Wed, 10 Jun 2026 19:02:13 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4gbFWm2CTWz6GY; Wed, 10 Jun 2026 19:02:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1781118132; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bmBdDO8tllp+/deTTDXWwEbo7OI1EAaCrgJgnIGd9vo=; b=KdLmX/8YusfOuycZ07JKsJuUxVGCTV+X/IWO5Esa6SiR2lXQdN8QdAJOGh0M/U8GbMElW9 bDKPZmkP1K9l5tHu3LGGVCtw/pYy0Usc1HB1ZSxu45omZCQ1CMReTiY8oIFNL1FYZqqS5F QqYp9JAH2Q4jGwXPCmBEPmH4iDKOGqSZcC0htR+CN6n9MPJNxJD6D5ZZANV1ChCBXTLLGi g1E+Q/WRi8eXzqyT6GFK0LNSHs6C+d990ebx7N8IWDyLxHRw7jNDRyBgBJNbDD+Xy8+pSe GQN1ZGBMW73eEcpcMadhcAapW6qViyyFMN5lWzxBDRcHueXClca2r4rtqorjDA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1781118132; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bmBdDO8tllp+/deTTDXWwEbo7OI1EAaCrgJgnIGd9vo=; b=C6TtHaPaf6omuenUsFKt+VUH7Yrv8954p7JWwLcOMTTGj2ZytBQqB6HOroMo+Dt5nLI5+W RGKYHfxjiDgYH9AQ== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] bash: Update to version 5.3 patch 15 Date: Wed, 10 Jun 2026 21:01:47 +0200 Message-ID: <20260610190208.3662425-2-adolf.belka@ipfire.org> In-Reply-To: <20260610190208.3662425-1-adolf.belka@ipfire.org> References: <20260610190208.3662425-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Update from version 5.3 patch 9 to 5.3 patch 15 - No change in rootfile - Changelog patch 10 Under some circumstances, a subshell or asynchronous job with an active EXIT trap that contains a call to `wait' can loop trying to wait for processes that are not its children. It usually inherits these jobs from its parent in the jobs list. patch 11 If a `mapfile' callback unsets the array variable `mapfile' is using to save the lines it reads, `mapfile' can try to reference freed memory, which can cause corruption or shell crashes. patch 12 If a subshell with an inherited EXIT trap receives a fatal signal before it clears the exit trap, and before it restores its original signal handlers, it's possible for it to inappropriately run the inherited EXIT trap. patch 13 Comparing the value of a pointer returned from realloc/xrealloc to the original pointer passed is technically undefined behavior, which matters under some circumstances. patch 14 Bash-5.3 patch 11 included an inadvertent extra line, which this patch removes. This also takes the opportunity to improve that patch, by looking up the variable each time through the line-reading loop only if there is a callback and it is invoked. patch 15 There are circumstances under which index -1 is used to reference into the input buffer used by the `read' builtin. Signed-off-by: Adolf Belka --- lfs/bash | 4 +- src/patches/bash/bash53-010 | 49 +++++++++++++++++++++++ src/patches/bash/bash53-011 | 70 ++++++++++++++++++++++++++++++++ src/patches/bash/bash53-012 | 80 +++++++++++++++++++++++++++++++++++++ src/patches/bash/bash53-013 | 54 +++++++++++++++++++++++++ src/patches/bash/bash53-014 | 68 +++++++++++++++++++++++++++++++ src/patches/bash/bash53-015 | 79 ++++++++++++++++++++++++++++++++++++ 7 files changed, 402 insertions(+), 2 deletions(-) create mode 100644 src/patches/bash/bash53-010 create mode 100644 src/patches/bash/bash53-011 create mode 100644 src/patches/bash/bash53-012 create mode 100644 src/patches/bash/bash53-013 create mode 100644 src/patches/bash/bash53-014 create mode 100644 src/patches/bash/bash53-015 diff --git a/lfs/bash b/lfs/bash index fd68e8805..dbee213c2 100644 --- a/lfs/bash +++ b/lfs/bash @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2025 IPFire Team # +# Copyright (C) 2007-2026 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -25,7 +25,7 @@ include Config VER = 5.3 -PATCHVER = 9 +PATCHVER = 15 THISAPP = bash-$(VER) DL_FILE = $(THISAPP).tar.gz diff --git a/src/patches/bash/bash53-010 b/src/patches/bash/bash53-010 new file mode 100644 index 000000000..3797675a0 --- /dev/null +++ b/src/patches/bash/bash53-010 @@ -0,0 +1,49 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 5.3 +Patch-ID: bash53-010 + +Bug-Reported-by: Aleksey Covacevice +Bug-Reference-ID: +Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2026-01/msg00003.html + +Bug-Description: + +Patch (apply with `patch -p0'): + +Under some circumstances, a subshell or asynchronous job with an active +EXIT trap that contains a call to `wait' can loop trying to wait for +processes that are not its children. It usually inherits these jobs from +its parent in the jobs list. + +*** ../bash-5.3-patched/jobs.c Fri Jul 25 08:53:22 2025 +--- jobs.c Fri Jan 9 10:21:03 2026 +*************** +*** 2840,2844 **** + ps->status = (r < 0 || r > 256) ? 127 : r; + } +! if (r == -1 && errno == ECHILD) + { + /* If we're mistaken about job state, compensate. */ +--- 2842,2846 ---- + ps->status = (r < 0 || r > 256) ? 127 : r; + } +! if ((r < 0 || r > 256) && errno == ECHILD) + { + /* If we're mistaken about job state, compensate. */ +*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400 +--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 9 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 10 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/src/patches/bash/bash53-011 b/src/patches/bash/bash53-011 new file mode 100644 index 000000000..5aa8b9222 --- /dev/null +++ b/src/patches/bash/bash53-011 @@ -0,0 +1,70 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 5.3 +Patch-ID: bash53-011 + +Bug-Reported-by: Philippe Grégoire +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +If a `mapfile' callback unsets the array variable `mapfile' is using to save +the lines it reads, `mapfile' can try to reference freed memory, which can +cause corruption or shell crashes. + +Patch (apply with `patch -p0'): + +*** ../bash-5.3-patched/builtins/mapfile.def Mon May 6 11:58:48 2024 +--- builtins/mapfile.def Mon May 25 16:23:50 2026 +*************** +*** 154,160 **** + unbuffered_read = 0; + +! /* The following check should be done before reading any lines. Doing it +! here allows us to call bind_array_element instead of bind_array_variable +! and skip the variable lookup on every call. */ + entry = builtin_find_indexed_array (array_name, flags & MAPF_CLEARARRAY); + if (entry == 0) +--- 154,158 ---- + unbuffered_read = 0; + +! /* The following check should be done before reading any lines. */ + entry = builtin_find_indexed_array (array_name, flags & MAPF_CLEARARRAY); + if (entry == 0) +*************** +*** 202,207 **** + } + +! /* XXX - bad things can happen if the callback modifies ENTRY, e.g., +! unsetting it or changing it to a non-indexed-array type. */ + bind_array_element (entry, array_index, line, 0); + +--- 200,210 ---- + } + +! /* Bad things can happen if the callback modifies ENTRY, e.g., +! unsetting it or changing it to a non-indexed-array type, so we +! look it up again every time we need to assign something */ +! entry = bind_array_variable (array_name, array_index, line, 0); +! if (entry == 0 || ASSIGN_DISALLOWED (entry, 0)) +! return EXECUTION_FAILURE; +! + bind_array_element (entry, array_index, line, 0); + +*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400 +--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 10 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 11 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/src/patches/bash/bash53-012 b/src/patches/bash/bash53-012 new file mode 100644 index 000000000..aac53bc72 --- /dev/null +++ b/src/patches/bash/bash53-012 @@ -0,0 +1,80 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 5.3 +Patch-ID: bash53-012 + +Bug-Reported-by: earl_chew@yahoo.com +Bug-Reference-ID: +Bug-Reference-URL: https://savannah.gnu.org/bugs/?67745 + +Bug-Description: + +If a subshell with an inherited EXIT trap receives a fatal signal before +it clears the exit trap, and before it restores its original signal +handlers, it's possible for it to inappropriately run the inherited EXIT +trap. + +Patch (apply with `patch -p0'): + +*** ../bash-5.3-patched/execute_cmd.c Thu Jun 5 11:02:01 2025 +--- execute_cmd.c Fri Jan 9 10:21:30 2026 +*************** +*** 1644,1648 **** + if (user_subshell) + { +! subshell_environment = SUBSHELL_PAREN; /* XXX */ + if (asynchronous) + subshell_environment |= SUBSHELL_ASYNC; +--- 1681,1685 ---- + if (user_subshell) + { +! subshell_environment = SUBSHELL_PAREN|SUBSHELL_IGNTRAP; /* XXX */ + if (asynchronous) + subshell_environment |= SUBSHELL_ASYNC; +*************** +*** 1650,1654 **** + else + { +! subshell_environment = 0; /* XXX */ + if (asynchronous) + subshell_environment |= SUBSHELL_ASYNC; +--- 1687,1691 ---- + else + { +! subshell_environment = SUBSHELL_IGNTRAP; /* XXX */ + if (asynchronous) + subshell_environment |= SUBSHELL_ASYNC; +*** ../bash-5.3-patched/sig.c Wed Dec 18 15:52:06 2024 +--- sig.c Fri Jan 9 10:21:43 2026 +*************** +*** 639,643 **** + comsub_ignore_return = return_catch_flag = wait_intr_flag = 0; + +! run_exit_trap (); /* XXX - run exit trap possibly in signal context? */ + + kill_shell (sig); +--- 645,652 ---- + comsub_ignore_return = return_catch_flag = wait_intr_flag = 0; + +! /* Don't run the exit trap if we're supposed to be ignoring traps in a +! subshell environment. */ +! if ((subshell_environment & SUBSHELL_IGNTRAP) == 0) +! run_exit_trap (); /* XXX - run exit trap possibly in signal context? */ + + kill_shell (sig); +*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400 +--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 11 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 12 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/src/patches/bash/bash53-013 b/src/patches/bash/bash53-013 new file mode 100644 index 000000000..16ff707c7 --- /dev/null +++ b/src/patches/bash/bash53-013 @@ -0,0 +1,54 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 5.3 +Patch-ID: bash53-013 + +Bug-Reported-by: Florian Schmaus +Bug-Reference-ID: +Bug-Reference-URL: https://savannah.gnu.org/bugs/?67586 + +Bug-Description: + +Comparing the value of a pointer returned from realloc/xrealloc to the +original pointer passed is technically undefined behavior, which matters +under some circumstances. + +Patch (apply with `patch -p0'): + +*** ../bash-5.3-patched/builtins/read.def Wed Jun 25 15:50:18 2025 +--- builtins/read.def Thu Nov 20 15:10:20 2025 +*************** +*** 789,794 **** + x = (char *)xrealloc (input_string, size += 128); + +! /* Only need to change unwind-protect if input_string changes */ + if (x != input_string) + { + input_string = x; +--- 816,824 ---- + x = (char *)xrealloc (input_string, size += 128); + +! #if 0 +! /* This is, in theory, undefined behavior, since input_string may +! have been freed. */ + if (x != input_string) ++ #endif + { + input_string = x; + +*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400 +--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 12 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 13 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/src/patches/bash/bash53-014 b/src/patches/bash/bash53-014 new file mode 100644 index 000000000..d52d34d29 --- /dev/null +++ b/src/patches/bash/bash53-014 @@ -0,0 +1,68 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 5.3 +Patch-ID: bash53-014 + +Bug-Reported-by: Grisha Levit +Bug-Reference-ID: +Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2026-06/msg00022.html + +Bug-Description: + +Bash-5.3 patch 11 included an inadvertent extra line, which this patch +removes. This also takes the opportunity to improve that patch, by looking +up the variable each time through the line-reading loop only if there is +a callback and it is invoked. + +Patch (apply with `patch -p0'): + +*** ../bash-5.3-patched/builtins/mapfile.def Sat Jun 6 13:31:02 2026 +--- builtins/mapfile.def Sat Jun 6 13:51:55 2026 +*************** +*** 198,211 **** + + run_callback (callback, array_index, line); +- } + +! /* Bad things can happen if the callback modifies ENTRY, e.g., +! unsetting it or changing it to a non-indexed-array type, so we +! look it up again every time we need to assign something */ +! entry = bind_array_variable (array_name, array_index, line, 0); +! if (entry == 0 || ASSIGN_DISALLOWED (entry, 0)) +! return EXECUTION_FAILURE; +! +! bind_array_element (entry, array_index, line, 0); + + /* Have we exceeded # of lines to store? */ +--- 198,211 ---- + + run_callback (callback, array_index, line); + +! /* Bad things can happen if the callback modifies ENTRY, e.g., +! unsetting it or changing it to a non-indexed-array type, so we +! look it up again every time we need to assign something */ +! entry = bind_array_variable (array_name, array_index, line, 0); +! if (entry == 0 || ASSIGN_DISALLOWED (entry, 0)) +! return EXECUTION_FAILURE; +! } +! else +! bind_array_element (entry, array_index, line, 0); + + /* Have we exceeded # of lines to store? */ + +*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400 +--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 13 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 14 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/src/patches/bash/bash53-015 b/src/patches/bash/bash53-015 new file mode 100644 index 000000000..861b3cac0 --- /dev/null +++ b/src/patches/bash/bash53-015 @@ -0,0 +1,79 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 5.3 +Patch-ID: bash53-015 + +Bug-Reported-by: Duncan Roe + Grisha Levit +Bug-Reference-ID: +Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2025-09/msg00162.html + https://lists.gnu.org/archive/html/bug-bash/2025-10/msg00013.html + +Bug-Description: + +There are circumstances under which index -1 is used to reference into +the input buffer used by the `read' builtin. + +Patch (apply with `patch -p0'): + +*** ../bash-5.3-patched/builtins/read.def Wed Jun 25 15:50:18 2025 +--- builtins/read.def Thu Nov 6 16:51:14 2025 +*************** +*** 539,543 **** + protects, then restore input_string so we can use it later */ + orig_input_string = 0; +! input_string[i] = '\0'; /* make sure it's terminated */ + if (i == 0) + { +--- 568,573 ---- + protects, then restore input_string so we can use it later */ + orig_input_string = 0; +! if (i >= 0) +! input_string[i] = '\0'; /* make sure it's terminated */ + if (i == 0) + { +*************** +*** 593,598 **** + + ttset = ttattrs; +! i = silent ? ttfd_cbreak (fd, &ttset) : ttfd_onechar (fd, &ttset); +! if (i < 0) + sh_ttyerror (1); + tty_modified = 1; +--- 623,627 ---- + + ttset = ttattrs; +! if ((silent ? ttfd_cbreak (fd, &ttset) : ttfd_onechar (fd, &ttset)) < 0) + sh_ttyerror (1); + tty_modified = 1; +*************** +*** 610,615 **** + + ttset = ttattrs; +! i = ttfd_noecho (fd, &ttset); /* ttnoecho (); */ +! if (i < 0) + sh_ttyerror (1); + +--- 639,643 ---- + + ttset = ttattrs; +! if (ttfd_noecho (fd, &ttset) < 0) + sh_ttyerror (1); + + +*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400 +--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 14 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 15 + + #endif /* _PATCHLEVEL_H_ */ -- 2.54.0