Upstream changes:
R50f is a required security and bugfix release:
[tg] Add a patch marker for vendor patch versioning to mksh.1
[tg] SECURITY: make unset HISTFILE actually work
[tg] Document some more issues with the current history code
[tg] Remove some unused code
[tg] RCSID-only sync with OpenBSD, for bogus and irrelevant changes
[tg] Also disable field splitting for alias 'local=\typeset'
[tg] Fix read -n-1 to not be identical to read -N-1
[tg] Several fixes and improvements to lksh(1) and mksh(1) manpages
[tg] More code (int size_t), comment and testsuite fixes
[tg] Make dot.mkshrc more robust (LP#1441853)
[tg] Fix issues with IFS='\' read, found by edualbus
[enh, tg] Fix integer overflows related to file descriptor parsing, found by Pawel Wylecial (LP#1440685); reduce memory usage for I/O redirs
[tg] Document in the manpage how to set ±U according to the current locale settings via LANG/LC_* parameters (cf. Debian #782225)
[igli, tg] Some code cleanup and restructuring
[tg, oksh] Handle number parsing and storing more carefully
R50e is a required bugfix release:
[tg] Add more tests detailing behaviour difference from GNU bash
[tg] Introduce a memory leak for x=<< fixing use of freed memory instead, bug tracked as LP#1380389 still live
[tg] Add x+=<< parallel to x=<<
[tg, ormaaj, jilles] POSIX "command" loses builtin special-ness
[tg] Fix LP#1381965 and LP#1381993 (more field splitting)
[jilles] Update location of FreeBSD testsuite for test(1)
[Martin Natano] Remove dead NULL elements from Emacs keybindings
[tg, Stéphane Chazelas, Geoff Clare] Change several testcases for $*/$@ expansion with/without quotes to expected-fail, with even more to come ☹
[tg] Fix miscalculating required memory for encoding the double-quoted parts of a here document or here string delimiter, leading to a buffer overflow; discovered by zacts from IRC
[RT] Rename a function conflicting with a MacRelix system header
[tg] Use size_t (and ssize_t) consistently, stop using ptrdiff_t; fixes some arithmetics and S/390 bugs
[tg] Remove old workarounds for Clang 3.2 scan-build
[tg] Remove all Clang/Coverity assertions, making room for new checks
[tg] Fix NSIG generation on Debian sid gcc-snapshot
[tg] Make a testcase not fail in a corner case
[tg] Fix issues detected by GCC’s new sanitisers: data type of a value to be shifted constantly must be unsigned (what not, in C…); shebang check array accesses are always unsigned char
[tg] Be even more explicit wrt. POSIX in the manpage
[tg] Fix shebang / file magic decoding
[tg] More int → bool conversion
[tg] Let Build.sh be run by GNU bash 1.12.1 (Slackware 1.01)
[Stéphane Chazelas, tg] Fix here string parsing issue
[tg] Point out more future changes in the manpage
[tg] Call setgid(2), setegid(2), setuid(2) before seteuid(2)
[tg] Fix spurious empty line after ENOENT “whence -v”, found by Ypnose
[tg] Optimise dot.mkshrc and modernise it a bit
[tg] Use MAXPATHLEN from <sys/param.h> for PATH_MAX fallback
[tg] Some code cleanup and warnings fixes
[tg] Add options -a argv0 and -c to exec
[jsg] Prevent use-after-free when hitting multiple errors unwinding
[tg] Fix use of $* and $@ in scalar context: within [[ … ]] and after case (spotted by Stéphane Chazelas) and in here documents (spotted by tg@); fix here document expansion
[tg] Unbreak when $@ shares double quotes with others
[tg] Fix set -x in PS4 expansion infinite loop
---------------- (from debian/changelog)
posh (0.12.4) unstable; urgency=medium
* Correct misspelling of "--". closes: #774004.
* Patch from Chris Lamb to make the build reproducible.
closes: #777395.
* Patch from John Salmon to use memmove instead of memcpy in
debunk(). closes: #777493.
-- Clint Adams <clint@debian.org> Sun, 26 Apr 2015 14:20:19 -0400
Changelog:
* Written in C++ now.
* Fix security issues
CVE-2014-2914
CVE-2014-2906 and CVE-2014-3856
CVE-2014-2905
CVE-2014-3219
* Many bugfixes.
* Many new features.
See http://fishshell.com/release_notes.html .
autojump is a faster way to navigate your filesystem. It works by
maintaining a database of the directories you use the most from
the command line.
Directories must be visited first before they can be jumped to.
git-sh is a customized bash shell suitable for git work.
The git-sh command starts an interactive bash shell tweaked for
heavy git interaction:
* All git commands available at top-level (checkout master = git
checkout master)
* All git aliases defined in the [alias] section of ~/.gitconfig
available at top-level.
* Shawn O. Pearce's excellent bash completion strapped onto all
core commands and git aliases.
* Custom prompt with current branch, repository, and work tree
dirty indicator.
* Customizable via /etc/gitshrc and ~/.gitshrc config files; for
creating aliases, changing the prompt, etc.
* Runs on top of normal bash (~/.bashrc) and readline (~/.inputrc)
configurations.
already in /bin. Otherwise, building and installing it naively clobbers
the native tcsh, which isn't what anyone wants.
I believe these platforms to be: NetBSD, OpenBSD, Solaris -- if anyone
can confirm that others (especially old ones I can't readily check)
don't have a native tcsh, please add.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=104260
---------------------------
The MASTER_SITES for shells/mudsh is invalid. The email
address of the submitter of the port is no longer valid.
The app itself is a single perl script with no author in it.
---------------------------
Thanks wiz@ for review.
5.0.7
This is version 5.0.7 of the shell. This is a stable release.
There are minor new features as well as bug fixes since 5.0.6.
Note in particular there is a security fix to disallow evaluation
of the initial values of integer variables imported from the
environment (they are instead treated as literal numbers). That
could allow local privilege escalation, under some specific and
atypical conditions where zsh is being invoked in privilege elevation
contexts when the environment has not been properly sanitized, such
as when zsh is invoked by sudo on systems where "env_reset" has
been disabled.
5.0.6
This is version 5.0.6 of the shell. This is a stable release.
There are minor new features as well as bug fixes since 5.0.5.
R50d is a required bugfix release:
- [Goodbox] Fix NULL pointer dereference on “unset x; nameref x”
- [tg] Fix severe regression in field splitting (LP#1378208)
- [tg] Add a warning about not using tainted user input (including from
the environ(7)ment) in arithmetics, until Stéphane writes it up nicely
R50c is a security fix release:
- [tg] Know more rare signals when generating sys_signame[] replacement
- [tg] OpenBSD sync (mostly RCSID only)
- [tg] Document HISTSIZE limit; found by luigi_345 on IRC
- [zacts] Fix link to Debian .mkshrc
- [tg] Cease exporting $RANDOM (Debian #760857)
- [tg] Fix C99 compatibility
- [tg] Work around klibc bug causing a coredump (Debian #763842)
- [tg] Use issetugid(2) as additional check if we are FPRIVILEGED
- [tg] SECURITY: do not permit += from environment
- [tg] Fix more field splitting bugs reported by Stephane Chazelas and
mikeserv; document current status wrt. ambiguous ones as testcases too
Fixes CVE-2014-6278:
A combination of nested command substitutions and function importing
from the environment can cause bash to execute code appearing in
the environment variable value following the function definition.
Changelog:
R50b is a recommended bugfix release:
* [Ypnose] Fix operator description in the manpage
* [tg] Change all mention of “eglibc” to “glibc”, it is merged back
* [Colona] Fix rare infinite loop with invalid UTF-8 in the edit buffer
* [tg] Make more clear when a shell is interactive in the manpage
* [tg] Document that % is a symmetric remainder operation, and how to
get a mathematical modulus from it, in the manpage
* [tg, Christopher Ferris, Elliott Hughes] Make the cat(1) builtin also
interruptible in the write loop, not just in the read loop, and avoid
it getting SIGPIPE in the smores function in dot.mkshrc by terminating
cat upon user quit
* [tg] Make some comments match the code, after jaredy from obsd changed
IFS split handling
* [tg] Fix some IFS-related mistakes in the manual page
* [tg] Document another issue as known-to-fail test IFS-subst-3
* [tg] Improve check.pl output in some cases
* [tg, Jb_boin] Relax overzealous nameref RHS checks
R50 is a recommended bugfix release:
* [tg] Fix initial IFS whitespace not being ignored when expanding
* [tg] MKSH_BINSHREDUCED no longer mistakenly enables brace expansion
* [tg] Explain more clearly Vi input mode limitations in the manpage
* [tg] Improve error reporting of the check.pl script (which needs a
maintainer since I don’t speak any perl(1), really), for lewellyn
* [tg] Use $TMPDIR in test.sh for scratch space
* [tg, Polynomial-C] Check that the scratch space is not mounted noexec
* [pekster, jilles, tg] Use termcap(5) names, not terminfo(5) names, in
tput(1) examples, for improved portability (e.g. to MidnightBSD)
* [tg] Avoid C99 Undefined Behaviour in mirtoconf LFS test (inspired by
Debian #742780)
* [tg] Fix ${!foo} for when foo is unset
* [tg] Improve nameref error checking (LP#1277691)
* [tg] Fix readonly bypass found by Bert Münnich
* [Ryan Schmidt] Improved system reporting for Mac OS X
* [nDuff] Explain better [[ extglob handling in the manpage
* [tg] Remove arr=([index]=value) syntax due to regressions
* [tg] IFS-split arithmetic expansions as per POSIX 201x
* [OpenBSD] Add more detailed Authors section to manpage
* [tg] Fix set ±p issue for good: drop privs unless requested
* [tg] Improve signal handling and use a more canonical probing order
* [tg] Fix return values $? and ${PIPESTATUS[*]} interaction with set -o
pipefail and COMSUBs
* [enh] Detect ENOEXEC ELF files and use a less confusing error message
* [tg] Update to Unicode 7.0.0
* [tg] Shut up valgrind in the $RANDOM code
* [tg] Use -fstack-protector-strong in favour of -fstack-protector-all
* [tg] Fix access-after-free crash spotted by Enjolras via IRC
