MFH: r369467

- Update to patchlevel 27 which changes how functions are exported.
  This should eliminate the recent vulnerabilities, but keep the
  requirement for --import-functions/IMPORTFUNCTIONS option for now.
- Loosen the --import-functions requirement so it is not needed when running
  an interactive shell. It is already disallowed for privileged/setuid mode.
- Show an error on stderr when an imported function is ignored.

3 files changed, 37 insertions, 12 deletions

diff --git a/shells/bash/Makefile b/shells/bash/Makefile
index ada8e843c3d1..ed5bf5575ec8 100644
--- a/shells/bash/Makefile
+++ b/shells/bash/Makefile
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=		bash
-PATCHLEVEL=		26
+PATCHLEVEL=		27
 PORTVERSION=		4.3.${PATCHLEVEL:S/^0//g}
 PORTREVISION?=		0
 CATEGORIES=		shells
diff --git a/shells/bash/distinfo b/shells/bash/distinfo
index 15cef48c34e0..4ca3a02a7318 100644
--- a/shells/bash/distinfo
+++ b/shells/bash/distinfo
@@ -52,3 +52,5 @@ SHA256 (bash/bash43-025) = 1e5186f5c4a619bb134a1177d9e9de879f3bb85d9c5726832b03a
 SIZE (bash/bash43-025) = 3940
 SHA256 (bash/bash43-026) = 2ecc12201b3ba4273b63af4e9aad2305168cf9babf6d11152796db08724c214d
 SIZE (bash/bash43-026) = 1575
+SHA256 (bash/bash43-027) = 1eb76ad28561d27f7403ff3c76a36e932928a4b58a01b868d663c165f076dabe
+SIZE (bash/bash43-027) = 6889
diff --git a/shells/bash/files/extrapatch-import-functions b/shells/bash/files/extrapatch-import-functions
index ad052c7ad7fa..c1ff0dd0f2f0 100644
--- a/shells/bash/files/extrapatch-import-functions
+++ b/shells/bash/files/extrapatch-import-functions
@@ -19,12 +19,9 @@ Based on christos@NetBSD's patch
    { "noprofile", Int, &no_profile, (char **)0x0 },
    { "norc", Int, &no_rc, (char **)0x0 },
 
-$NetBSD: patch-variables.c,v 1.1 2014/09/25 20:28:32 christos Exp $
-
-Only read functions from environment if flag is set.
---- variables.c.christos        2014-09-25 16:09:41.000000000 -0400
-+++ variables.c 2014-09-25 16:12:10.000000000 -0400
-@@ -105,6 +105,7 @@
+--- variables.c.orig	2014-09-28 11:15:53.189768951 -0500
++++ variables.c	2014-09-28 11:27:07.250722694 -0500
+@@ -110,6 +110,7 @@ extern time_t shell_start_time;
  extern int assigning_in_environment;
  extern int executing_builtin;
  extern int funcnest_max;
@@ -32,12 +29,38 @@ Only read functions from environment if flag is set.
  
  #if defined (READLINE)
  extern int no_line_editing;
-@@ -349,7 +350,7 @@ initialize_shell_variables (env, privmod
+@@ -328,6 +329,7 @@ initialize_shell_variables (env, privmod
+   char *name, *string, *temp_string;
+   int c, char_index, string_index, string_length, ro;
+   SHELL_VAR *temp_var;
++  int skipped_import;
+ 
+   create_variable_tables ();
+ 
+@@ -352,9 +354,12 @@ initialize_shell_variables (env, privmod
  
+       temp_var = (SHELL_VAR *)NULL;
+ 
++      skipped_import = 0;
++reval:
++
        /* If exported function, define it now.  Don't import functions from
  	 the environment in privileged mode. */
--      if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
-+      if (import_functions && privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
- 	{
+-      if (privmode == 0 && read_but_dont_execute == 0 && 
++      if (skipped_import == 0 && privmode == 0 && read_but_dont_execute == 0 && 
+           STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) &&
+           STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) &&
+ 	  STREQN ("() {", string, 4))
+@@ -367,6 +372,12 @@ initialize_shell_variables (env, privmod
+ 	  tname = name + BASHFUNC_PREFLEN;	/* start of func name */
+ 	  tname[namelen] = '\0';		/* now tname == func name */
+ 
++	  if (!import_functions && !interactive_shell) {
++		  skipped_import = 1;
++		  report_error (_("Skipping importing function definition for `%s': --import-functions required."), tname);
++		  goto reval;
++	  }
++
  	  string_length = strlen (string);
- 	  temp_string = (char *)xmalloc (3 + string_length + char_index);
+ 	  temp_string = (char *)xmalloc (namelen + string_length + 2);
+