Changelog:
- Out-of-range negative offsets to popd can cause the shell to crash attempting
to free an invalid memory block.
- When performing filename completion, bash dequotes the directory name being
completed, which can result in match failures and potential unwanted
expansion.
MFH: 2017Q1
The reason is that NLS is related to message translations to different
languages.
And bash has the general feature that \uNNNN is translated into the unicode
character using iconv. This is unicode support, and should have nothing to
do with translations.
bash also currently has a bug that --disable-nls causes it to fail to find
iconv. This bug has been reported upstream to bash-devel ML. In the future,
when bash will fix this, this will make a difference.
Note that this uses iconv from libc.
[2] Update to 4.3.46
PR: 206903 [1], 210620 [2]
Submitted by: yuri@rawbw.com [1], pkubaj@anongoth.pl [2]
Discussed with: adamw
generate a bunch of,
cannot make pipe for process substitution: File exists
errors.
The problem lies with colliding pipe names.
The code in sh_mktmpname() in lib/sh/tmpfile.c uses a combination of things like
the current time, the PID, and an incrementing counter. Since the child PIDs
tend to be sequential (barring kern.randompid=1), there are collisions.
Fix this problem without rewriting upstream code by defining USE_MKTEMP=1 to
use the mktemp(3) code of bash.
FreeBSD's mktemp() is not nearly as bad as the bash default and isn't
brain-damaged like some platforms (which is likely why the bash code tries to
do it's own thing). In FreeBSD, "mktemp(3)" it uses arc4random to pick one of
62 symbols for each "X".
Submitted by: Henric Jungheim <software@henric.org>
When appropriate:
- Try to use DISTVERSION{SUF,PRE}FIX
- Replace PORTNAME-PORTVERSION by DISTNAME
- Convert MASTER_SITES to use macros
- Other light cleanup
With hat: portmgr
Sponsored by: Absolight
and reinstall. This should make the shells link with libintl.so.8 instead
of libintl.so.9 and should give package users a better chance of having a
working shell when something went wrong with the gettext update.
This addresses the local crash from CVE-2014-6277. Note that
the fixes applied in 4.3.25_2 (and upstream 4.3.27) already made
this non-exploitable remotely.
This makes 'bashcheck' [1] fully green now. It had a soft warning
before for CVE-2014-6277.
[1] https://github.com/hannob/bashcheck
This should eliminate the recent vulnerabilities, but keep the
requirement for --import-functions/IMPORTFUNCTIONS option for now.
- Loosen the --import-functions requirement so it is not needed when running
an interactive shell. It is already disallowed for privileged/setuid mode.
- Show an error on stderr when an imported function is ignored.
enabled by using --import-functions or enabling the IMPORTFUNCTIONS option.
This removes the risk of further parser bugs leading to code execution, as
well as the risk to setuid scripts and poorly written applications that
do not cleanse their environment [1][2].
Also note that there is an unofficial 4.3.26 floating around that has not yet
been officially released. r369261 covers the change in 4.3.26.
See also:
http://seclists.org/oss-sec/2014/q3/747 [1]
http://seclists.org/oss-sec/2014/q3/746 [2]
http://seclists.org/oss-sec/2014/q3/755 [3]
Obtained from: NetBSD (based on) [3]
PR: 193932
Reviewed by: Eric Vangyzen
With hat: portmgr
Since FreeBSD 8.4 and FreeBSD 9.1 make(1) do support :tu and :tl as a
replacement for :U and :L (which has been marked as deprecated)
bmake which is the default on FreeBSD 10+ only support by default
:tu/:tl a hack has been added at the time to support :U and :L to ease
migration. This hack is now not necessary anymore
Note that this makes the ports tree incompatible with make(1) from
FreeBSD 8.3 or earlier
With hat: portmgr
that we're at version "4.3.". Set PORTVERSION to 4.3.${PATCHLEVEL} until we have
the first patch released upstream. Also bump PORTREVISION to make sure all port
tools deal with this correctly.
Notified by: "Matthew D. Fuller" <fullermd@over-yonder.net>
Discussed with: kwm
- Takeover maintainership
- Merge changes from shells/bash-devel this updates the port to 4.3
- Remove the now useless -devel ports
- Document change in ports/MOVED
Approved by: portmgr (bapt)
Ensure the configure script always activate the same features wether or not
fdescfs is mounted: Always consider /dev/fd as absent
Bump portrevision as packages on the cluster are built with fdescfs mounted.
With hat: portmgr
Reported: Derek Schrock (skered- via #poudriere)
