bash: Import upstream fixes

lfs/bash

@@ -87,15 +87,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	sed -e "s/filename, RTLD_LAZY/filename, RTLD_NOW/" \
 		-i $(DIR_APP)/builtins/enable.def
 
-	for i in $$(seq 1 18); do \
+	for i in $$(seq 1 26); do \
 		cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/bash/bash43-$$(printf "%03d" "$${i}") || exit 1; \
 	done
 
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-4.0-paths-1.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-4.0-profile-1.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/bash-3.2-ssh_source_bash.patch
-	cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/bash-4.3-CVE-2014-6271.patch
-	cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/bash-3.2-CVE-2014-7169.patch
 
 	cd $(DIR_APP) && ./configure $(CONFIGURE_OPTIONS)
 	cd $(DIR_APP) && make $(MAKETUNING)

src/patches/bash-3.2-CVE-2014-7169.patch

@@ -1,11 +0,0 @@
-*** ../bash-20140912/parse.y	2014-08-26 15:09:42.000000000 -0400
---- parse.y	2014-09-24 22:47:28.000000000 -0400
-***************
-*** 2959,2962 ****
---- 2959,2964 ----
-    word_desc_to_read = (WORD_DESC *)NULL;
-  
-+   eol_ungetc_lookahead = 0;
-+ 
-    current_token = '\n';		/* XXX */
-    last_read_token = '\n';

src/patches/bash/bash43-019

@@ -0,0 +1,84 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-019
+
+Bug-Reported-by:	John Lenton
+Bug-Reference-ID:
+Bug-Reference-URL:	https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1317476
+
+Bug-Description:
+
+The -t timeout option to `read' does not work when the -e option is used.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.3-patched/lib/readline/input.c	2014-01-10 15:07:08.000000000 -0500
+--- lib/readline/input.c	2014-05-22 18:40:59.000000000 -0400
+***************
+*** 535,540 ****
+--- 538,551 ----
+        else if (_rl_caught_signal == SIGHUP || _rl_caught_signal == SIGTERM)
+  	return (RL_ISSTATE (RL_STATE_READCMD) ? READERR : EOF);
++       /* keyboard-generated signals of interest */
+        else if (_rl_caught_signal == SIGINT || _rl_caught_signal == SIGQUIT)
+          RL_CHECK_SIGNALS ();
++       /* non-keyboard-generated signals of interest */
++       else if (_rl_caught_signal == SIGALRM
++ #if defined (SIGVTALRM)
++ 		|| _rl_caught_signal == SIGVTALRM
++ #endif
++ 	      )
++         RL_CHECK_SIGNALS ();
+  
+        if (rl_signal_event_hook)
+*** ../bash-4.3-patched/builtins/read.def	2013-09-02 11:54:00.000000000 -0400
+--- builtins/read.def	2014-05-08 11:43:35.000000000 -0400
+***************
+*** 443,447 ****
+  #if defined (READLINE)
+        if (edit)
+! 	add_unwind_protect (reset_attempted_completion_function, (char *)NULL);
+  #endif
+        falarm (tmsec, tmusec);
+--- 443,450 ----
+  #if defined (READLINE)
+        if (edit)
+! 	{
+! 	  add_unwind_protect (reset_attempted_completion_function, (char *)NULL);
+! 	  add_unwind_protect (bashline_reset_event_hook, (char *)NULL);
+! 	}
+  #endif
+        falarm (tmsec, tmusec);
+***************
+*** 1022,1025 ****
+--- 1025,1029 ----
+    old_attempted_completion_function = rl_attempted_completion_function;
+    rl_attempted_completion_function = (rl_completion_func_t *)NULL;
++   bashline_set_event_hook ();
+    if (itext)
+      {
+***************
+*** 1033,1036 ****
+--- 1037,1041 ----
+    rl_attempted_completion_function = old_attempted_completion_function;
+    old_attempted_completion_function = (rl_completion_func_t *)NULL;
++   bashline_reset_event_hook ();
+  
+    if (ret == 0)
+*** ../bash-4.3/patchlevel.h	2012-12-29 10:47:57.000000000 -0500
+--- patchlevel.h	2014-03-20 20:01:28.000000000 -0400
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 18
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 19
+  
+  #endif /* _PATCHLEVEL_H_ */

src/patches/bash/bash43-020

@@ -0,0 +1,110 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-020
+
+Bug-Reported-by:	Jared Yanovich <slovichon@gmail.com>
+Bug-Reference-ID:	<20140417073654.GB26875@nightderanger.psc.edu>
+Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2014-04/msg00065.html
+
+Bug-Description:
+
+When PS2 contains a command substitution, here-documents entered in an
+interactive shell can sometimes cause a segmentation fault.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.3-patched/shell.h	2012-12-25 21:11:01.000000000 -0500
+--- shell.h	2014-06-03 09:24:28.000000000 -0400
+***************
+*** 169,173 ****
+    int expand_aliases;
+    int echo_input_at_read;
+!   
+  } sh_parser_state_t;
+  
+--- 169,174 ----
+    int expand_aliases;
+    int echo_input_at_read;
+!   int need_here_doc;
+! 
+  } sh_parser_state_t;
+  
+*** ../bash-4.3-patched/parse.y	2014-05-14 09:16:40.000000000 -0400
+--- parse.y	2014-04-30 09:27:59.000000000 -0400
+***************
+*** 2643,2647 ****
+  
+    r = 0;
+!   while (need_here_doc)
+      {
+        parser_state |= PST_HEREDOC;
+--- 2643,2647 ----
+  
+    r = 0;
+!   while (need_here_doc > 0)
+      {
+        parser_state |= PST_HEREDOC;
+***************
+*** 6076,6079 ****
+--- 6076,6080 ----
+    ps->expand_aliases = expand_aliases;
+    ps->echo_input_at_read = echo_input_at_read;
++   ps->need_here_doc = need_here_doc;
+  
+    ps->token = token;
+***************
+*** 6124,6127 ****
+--- 6125,6129 ----
+    expand_aliases = ps->expand_aliases;
+    echo_input_at_read = ps->echo_input_at_read;
++   need_here_doc = ps->need_here_doc;
+  
+    FREE (token);
+*** ../bash-4.3-patched/y.tab.c	2014-04-07 11:56:12.000000000 -0400
+--- y.tab.c	2014-07-30 09:55:57.000000000 -0400
+***************
+*** 4955,4959 ****
+  
+    r = 0;
+!   while (need_here_doc)
+      {
+        parser_state |= PST_HEREDOC;
+--- 5151,5155 ----
+  
+    r = 0;
+!   while (need_here_doc > 0)
+      {
+        parser_state |= PST_HEREDOC;
+***************
+*** 8388,8391 ****
+--- 8584,8588 ----
+    ps->expand_aliases = expand_aliases;
+    ps->echo_input_at_read = echo_input_at_read;
++   ps->need_here_doc = need_here_doc;
+  
+    ps->token = token;
+***************
+*** 8436,8439 ****
+--- 8633,8637 ----
+    expand_aliases = ps->expand_aliases;
+    echo_input_at_read = ps->echo_input_at_read;
++   need_here_doc = ps->need_here_doc;
+  
+    FREE (token);
+*** ../bash-4.3/patchlevel.h	2012-12-29 10:47:57.000000000 -0500
+--- patchlevel.h	2014-03-20 20:01:28.000000000 -0400
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 19
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 20
+  
+  #endif /* _PATCHLEVEL_H_ */

src/patches/bash/bash43-021

@@ -0,0 +1,52 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-021
+
+Bug-Reported-by:	Jared Yanovich <slovichon@gmail.com>
+Bug-Reference-ID:	<20140625225019.GJ17044@nightderanger.psc.edu>
+Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2014-06/msg00070.html
+
+Bug-Description:
+
+When the readline `revert-all-at-newline' option is set, pressing newline
+when the current line is one retrieved from history results in a double free
+and a segmentation fault.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.3-patched/lib/readline/misc.c	2012-09-01 18:03:11.000000000 -0400
+--- lib/readline/misc.c	2014-06-30 13:41:19.000000000 -0400
+***************
+*** 462,465 ****
+--- 462,466 ----
+  	  /* Set up rl_line_buffer and other variables from history entry */
+  	  rl_replace_from_history (entry, 0);	/* entry->line is now current */
++ 	  entry->data = 0;			/* entry->data is now current undo list */
+  	  /* Undo all changes to this history entry */
+  	  while (rl_undo_list)
+***************
+*** 469,473 ****
+  	  FREE (entry->line);
+  	  entry->line = savestring (rl_line_buffer);
+- 	  entry->data = 0;
+  	}
+        entry = previous_history ();
+--- 470,473 ----
+
+*** ../bash-4.3/patchlevel.h	2012-12-29 10:47:57.000000000 -0500
+--- patchlevel.h	2014-03-20 20:01:28.000000000 -0400
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 20
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 21
+  
+  #endif /* _PATCHLEVEL_H_ */

src/patches/bash/bash43-022

@@ -0,0 +1,56 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-022
+
+Bug-Reported-by:	scorp.dev.null@gmail.com
+Bug-Reference-ID:	<E1WxXw8-0007iE-Bi@pcm14>
+Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2014-06/msg00061.html
+
+Bug-Description:
+
+Using nested pipelines within loops with the `lastpipe' option set can result
+in a segmentation fault.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.3-patched/execute_cmd.c	2014-01-31 10:54:52.000000000 -0500
+--- execute_cmd.c	2014-06-19 08:05:49.000000000 -0400
+***************
+*** 2410,2414 ****
+        lstdin = wait_for (lastpid);
+  #if defined (JOB_CONTROL)
+!       exec_result = job_exit_status (lastpipe_jid);
+  #endif
+        unfreeze_jobs_list ();
+--- 2425,2438 ----
+        lstdin = wait_for (lastpid);
+  #if defined (JOB_CONTROL)
+!       /* If wait_for removes the job from the jobs table, use result of last
+! 	 command as pipeline's exit status as usual.  The jobs list can get
+! 	 frozen and unfrozen at inconvenient times if there are multiple pipelines
+! 	 running simultaneously. */
+!       if (INVALID_JOB (lastpipe_jid) == 0)
+! 	exec_result = job_exit_status (lastpipe_jid);
+!       else if (pipefail_opt)
+! 	exec_result = exec_result | lstdin;	/* XXX */
+!       /* otherwise we use exec_result */
+!         
+  #endif
+        unfreeze_jobs_list ();
+*** ../bash-4.3/patchlevel.h	2012-12-29 10:47:57.000000000 -0500
+--- patchlevel.h	2014-03-20 20:01:28.000000000 -0400
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 21
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 22
+  
+  #endif /* _PATCHLEVEL_H_ */

src/patches/bash/bash43-023

@@ -0,0 +1,104 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-023
+
+Bug-Reported-by:	Tim Friske <me@timfriske.com>
+Bug-Reference-ID:	<CAM1RzOcOR9zzC2i+aeES6LtbHNHoOV+0pZEYPrqxv_QAii-RXA@mail.gmail.com>
+Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2014-06/msg00056.html
+
+Bug-Description:
+
+Bash does not correctly parse process substitution constructs that contain
+unbalanced parentheses as part of the contained command.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.3-patched/subst.h	2014-01-11 21:02:27.000000000 -0500
+--- subst.h	2014-07-20 17:25:01.000000000 -0400
+***************
+*** 83,87 ****
+     Start extracting at (SINDEX) as if we had just seen "<(".
+     Make (SINDEX) get the position just after the matching ")". */
+! extern char *extract_process_subst __P((char *, char *, int *));
+  #endif /* PROCESS_SUBSTITUTION */
+  
+--- 83,87 ----
+     Start extracting at (SINDEX) as if we had just seen "<(".
+     Make (SINDEX) get the position just after the matching ")". */
+! extern char *extract_process_subst __P((char *, char *, int *, int));
+  #endif /* PROCESS_SUBSTITUTION */
+  
+*** ../bash-4.3-patched/subst.c	2014-05-15 08:26:45.000000000 -0400
+--- subst.c	2014-07-20 17:26:44.000000000 -0400
+***************
+*** 1193,1202 ****
+     Make (SINDEX) get the position of the matching ")". */ /*))*/
+  char *
+! extract_process_subst (string, starter, sindex)
+       char *string;
+       char *starter;
+       int *sindex;
+  {
+    return (extract_delimited_string (string, sindex, starter, "(", ")", SX_COMMAND));
+  }
+  #endif /* PROCESS_SUBSTITUTION */
+--- 1193,1208 ----
+     Make (SINDEX) get the position of the matching ")". */ /*))*/
+  char *
+! extract_process_subst (string, starter, sindex, xflags)
+       char *string;
+       char *starter;
+       int *sindex;
++      int xflags;
+  {
++ #if 0
+    return (extract_delimited_string (string, sindex, starter, "(", ")", SX_COMMAND));
++ #else
++   xflags |= (no_longjmp_on_fatal_error ? SX_NOLONGJMP : 0);
++   return (xparse_dolparen (string, string+*sindex, sindex, xflags));
++ #endif
+  }
+  #endif /* PROCESS_SUBSTITUTION */
+***************
+*** 1786,1790 ****
+  	  if (string[si] == '\0')
+  	    CQ_RETURN(si);
+! 	  temp = extract_process_subst (string, (c == '<') ? "<(" : ">(", &si);
+  	  free (temp);		/* no SX_ALLOC here */
+  	  i = si;
+--- 1792,1796 ----
+  	  if (string[si] == '\0')
+  	    CQ_RETURN(si);
+! 	  temp = extract_process_subst (string, (c == '<') ? "<(" : ">(", &si, 0);
+  	  free (temp);		/* no SX_ALLOC here */
+  	  i = si;
+***************
+*** 8250,8254 ****
+  	      t_index = sindex + 1; /* skip past both '<' and LPAREN */
+  
+! 	    temp1 = extract_process_subst (string, (c == '<') ? "<(" : ">(", &t_index); /*))*/
+  	    sindex = t_index;
+  
+--- 8256,8260 ----
+  	      t_index = sindex + 1; /* skip past both '<' and LPAREN */
+  
+! 	    temp1 = extract_process_subst (string, (c == '<') ? "<(" : ">(", &t_index, 0); /*))*/
+  	    sindex = t_index;
+  
+*** ../bash-4.3/patchlevel.h	2012-12-29 10:47:57.000000000 -0500
+--- patchlevel.h	2014-03-20 20:01:28.000000000 -0400
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 22
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 23
+  
+  #endif /* _PATCHLEVEL_H_ */

src/patches/bash/bash43-024

@@ -0,0 +1,54 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-024
+
+Bug-Reported-by:	Corentin Peuvrel <cpeuvrel@pom-monitoring.com>
+Bug-Reference-ID:	<53CE9E5D.6050203@pom-monitoring.com>
+Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2014-07/msg00021.html
+
+Bug-Description:
+
+Indirect variable references do not work correctly if the reference
+variable expands to an array reference using a subscript other than 0
+(e.g., foo='bar[1]' ; echo ${!foo}).
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.3-patched/subst.c	2014-06-03 09:32:44.000000000 -0400
+--- subst.c	2014-07-23 09:58:19.000000000 -0400
+***************
+*** 7375,7379 ****
+  
+    if (want_indir)
+!     tdesc = parameter_brace_expand_indir (name + 1, var_is_special, quoted, quoted_dollar_atp, contains_dollar_at);
+    else
+      tdesc = parameter_brace_expand_word (name, var_is_special, quoted, PF_IGNUNBOUND|(pflags&(PF_NOSPLIT2|PF_ASSIGNRHS)), &ind);
+--- 7445,7455 ----
+  
+    if (want_indir)
+!     {
+!       tdesc = parameter_brace_expand_indir (name + 1, var_is_special, quoted, quoted_dollar_atp, contains_dollar_at);
+!       /* Turn off the W_ARRAYIND flag because there is no way for this function
+! 	 to return the index we're supposed to be using. */
+!       if (tdesc && tdesc->flags)
+! 	tdesc->flags &= ~W_ARRAYIND;
+!     }
+    else
+      tdesc = parameter_brace_expand_word (name, var_is_special, quoted, PF_IGNUNBOUND|(pflags&(PF_NOSPLIT2|PF_ASSIGNRHS)), &ind);
+*** ../bash-4.3/patchlevel.h	2012-12-29 10:47:57.000000000 -0500
+--- patchlevel.h	2014-03-20 20:01:28.000000000 -0400
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 23
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 24
+  
+  #endif /* _PATCHLEVEL_H_ */

src/patches/bash/bash43-025

@@ -1,3 +1,20 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-025
+
+Bug-Reported-by:	Stephane Chazelas <stephane.chazelas@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+Under certain circumstances, bash will execute user code while processing the
+environment for exported function definitions.
+
+Patch (apply with `patch -p0'):
+
 *** ../bash-4.3-patched/builtins/common.h	2013-07-08 16:54:47.000000000 -0400
 --- builtins/common.h	2014-09-12 14:25:47.000000000 -0400
 ***************
@@ -89,3 +106,18 @@
 !       else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
   	{
   	  temp = nameref_cell (var);
+*** ../bash-4.3/patchlevel.h	2012-12-29 10:47:57.000000000 -0500
+--- patchlevel.h	2014-03-20 20:01:28.000000000 -0400
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 24
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 25
+  
+  #endif /* _PATCHLEVEL_H_ */

src/patches/bash/bash43-026

@@ -0,0 +1,60 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-026
+
+Bug-Reported-by:	Tavis Ormandy <taviso () cmpxchg8b com>
+Bug-Reference-ID:
+Bug-Reference-URL:	http://twitter.com/taviso/statuses/514887394294652929
+
+Bug-Description:
+
+Under certain circumstances, bash can incorrectly save a lookahead character and
+return it on a subsequent call, even when reading a new line.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.3.25/parse.y	2014-07-30 10:14:31.000000000 -0400
+--- parse.y	2014-09-25 20:20:21.000000000 -0400
+***************
+*** 2954,2957 ****
+--- 2954,2959 ----
+    word_desc_to_read = (WORD_DESC *)NULL;
+  
++   eol_ungetc_lookahead = 0;
++ 
+    current_token = '\n';		/* XXX */
+    last_read_token = '\n';
+*** ../bash-4.3.25/y.tab.c	2014-07-30 10:14:32.000000000 -0400
+--- y.tab.c	2014-09-25 20:21:48.000000000 -0400
+***************
+*** 5266,5269 ****
+--- 5266,5271 ----
+    word_desc_to_read = (WORD_DESC *)NULL;
+  
++   eol_ungetc_lookahead = 0;
++ 
+    current_token = '\n';		/* XXX */
+    last_read_token = '\n';
+***************
+*** 8540,8542 ****
+  }
+  #endif /* HANDLE_MULTIBYTE */
+- 
+--- 8542,8543 ----
+*** ../bash-4.3/patchlevel.h	2012-12-29 10:47:57.000000000 -0500
+--- patchlevel.h	2014-03-20 20:01:28.000000000 -0400
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 25
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 26
+  
+  #endif /* _PATCHLEVEL_H_ */