From 037396ee3d75aabd0ff1679f6b2d6426cab79c94 Mon Sep 17 00:00:00 2001 From: Bryan Drewery Date: Sun, 28 Sep 2014 16:47:44 +0000 Subject: MFH: r369467 - Update to patchlevel 27 which changes how functions are exported. This should eliminate the recent vulnerabilities, but keep the requirement for --import-functions/IMPORTFUNCTIONS option for now. - Loosen the --import-functions requirement so it is not needed when running an interactive shell. It is already disallowed for privileged/setuid mode. - Show an error on stderr when an imported function is ignored. --- shells/bash/Makefile | 2 +- shells/bash/distinfo | 2 ++ shells/bash/files/extrapatch-import-functions | 45 ++++++++++++++++++++------- 3 files changed, 37 insertions(+), 12 deletions(-) diff --git a/shells/bash/Makefile b/shells/bash/Makefile index ada8e843c3d1..ed5bf5575ec8 100644 --- a/shells/bash/Makefile +++ b/shells/bash/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= bash -PATCHLEVEL= 26 +PATCHLEVEL= 27 PORTVERSION= 4.3.${PATCHLEVEL:S/^0//g} PORTREVISION?= 0 CATEGORIES= shells diff --git a/shells/bash/distinfo b/shells/bash/distinfo index 15cef48c34e0..4ca3a02a7318 100644 --- a/shells/bash/distinfo +++ b/shells/bash/distinfo @@ -52,3 +52,5 @@ SHA256 (bash/bash43-025) = 1e5186f5c4a619bb134a1177d9e9de879f3bb85d9c5726832b03a SIZE (bash/bash43-025) = 3940 SHA256 (bash/bash43-026) = 2ecc12201b3ba4273b63af4e9aad2305168cf9babf6d11152796db08724c214d SIZE (bash/bash43-026) = 1575 +SHA256 (bash/bash43-027) = 1eb76ad28561d27f7403ff3c76a36e932928a4b58a01b868d663c165f076dabe +SIZE (bash/bash43-027) = 6889 diff --git a/shells/bash/files/extrapatch-import-functions b/shells/bash/files/extrapatch-import-functions index ad052c7ad7fa..c1ff0dd0f2f0 100644 --- a/shells/bash/files/extrapatch-import-functions +++ b/shells/bash/files/extrapatch-import-functions @@ -19,12 +19,9 @@ Based on christos@NetBSD's patch { "noprofile", Int, &no_profile, (char **)0x0 }, { "norc", Int, &no_rc, (char **)0x0 }, -$NetBSD: patch-variables.c,v 1.1 2014/09/25 20:28:32 christos Exp $ - -Only read functions from environment if flag is set. ---- variables.c.christos 2014-09-25 16:09:41.000000000 -0400 -+++ variables.c 2014-09-25 16:12:10.000000000 -0400 -@@ -105,6 +105,7 @@ +--- variables.c.orig 2014-09-28 11:15:53.189768951 -0500 ++++ variables.c 2014-09-28 11:27:07.250722694 -0500 +@@ -110,6 +110,7 @@ extern time_t shell_start_time; extern int assigning_in_environment; extern int executing_builtin; extern int funcnest_max; @@ -32,12 +29,38 @@ Only read functions from environment if flag is set. #if defined (READLINE) extern int no_line_editing; -@@ -349,7 +350,7 @@ initialize_shell_variables (env, privmod +@@ -328,6 +329,7 @@ initialize_shell_variables (env, privmod + char *name, *string, *temp_string; + int c, char_index, string_index, string_length, ro; + SHELL_VAR *temp_var; ++ int skipped_import; + + create_variable_tables (); + +@@ -352,9 +354,12 @@ initialize_shell_variables (env, privmod + temp_var = (SHELL_VAR *)NULL; + ++ skipped_import = 0; ++reval: ++ /* If exported function, define it now. Don't import functions from the environment in privileged mode. */ -- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4)) -+ if (import_functions && privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4)) - { +- if (privmode == 0 && read_but_dont_execute == 0 && ++ if (skipped_import == 0 && privmode == 0 && read_but_dont_execute == 0 && + STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) && + STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) && + STREQN ("() {", string, 4)) +@@ -367,6 +372,12 @@ initialize_shell_variables (env, privmod + tname = name + BASHFUNC_PREFLEN; /* start of func name */ + tname[namelen] = '\0'; /* now tname == func name */ + ++ if (!import_functions && !interactive_shell) { ++ skipped_import = 1; ++ report_error (_("Skipping importing function definition for `%s': --import-functions required."), tname); ++ goto reval; ++ } ++ string_length = strlen (string); - temp_string = (char *)xmalloc (3 + string_length + char_index); + temp_string = (char *)xmalloc (namelen + string_length + 2); + -- cgit v1.2.3