openSUSE Recommended Update: bash: Several fixes ______________________________________________________________________________ Announcement ID: openSUSE-RU-2013:1271-1 Rating: low References: #382214 #763591 #793536 #804551 #806628 #820149 #828877 Affected Products: openSUSE 12.2 ______________________________________________________________________________ An update that has 7 recommended fixes can now be installed. Description: This update fixes the following issues with bash: - bnc#804551: Force version update to factory + Removed 2 patches as they are part of the official patch set + Add 5 patches: * config-guess-sub-update.patch * readline-6.2-msgdynamic.patch * readline-6.2-xmalloc.dif * bnc#828877: bash-4.2-winch.dif * audit-rl-patch - Reintroduce patch bash-4.2-winch.dif to solve bnc#828877 accordingly to the test and upstream - Add bash-4.2-strcpy.patch from upstream mailing list to patch collection tar ball to avoid when using \w in the prompt and changing the directory outside of HOME the a strcpy work on overlapping memory areas. - add a conflict between readline5 and readline6-32bit - bnc#820149: Do not restart the sighandler after a trap is reset - Add patch from upstream mailing list to speed up array handling - Add patch from upstream mailing list to avoid fdleaks - Use lsdiff to determine the depth of the leading slashes in a patch file - Disable workaround for bnc#382214 due bnc#806628. - Update bash 4.2 to patch level 45 + When SIGCHLD is trapped, and a SIGCHLD trap handler runs when a pending `read -t' invocation times out and generates SIGALRM, bash can crash with a segmentation fault. + When converting a multibyte string to a wide character string as part of pattern matching, bash does not handle the end of the string correctly, causing the search for the NUL to go beyond the end of the string and reference random memory. Depending on the contents of that memory, bash can produce errors or crash. + The gt;n- and <n- redirections, which move one file descriptor to another, leave the file descriptor closed when applied to builtins or compound commands. - Use screen to provide a controlling terminal for running the test suite - config-guess-sub-update.patch: Update config.guess/sub for aarch64 - Fix check for negated warning switch - Avoid autoconf on older products - Apply audit patch variant to readline as well as we use a shared libreadline - Avoid bash-devel on older products as older GNU make do not have a realpath builtin - bnc#793536: Do not trigger the export of COLUMNS or LINES due enforced checkwinsize - Update bash 4.2 to patch level 42 + Missing I/O errors if output redirection applied to builtin commands when the file descriptor was closed + Process substitution incorrectly inherited a flag that inhibited using the temporary environment for variable lookups if it was providing the filename to a redirection. + Compilation failed after specifying the `minimal config' option - Update bash 4.2 to patch level 39 + Official fix for the last crash fix + Avoid variable expansion in arithmetic expressions when evaluation is being suppressed - Do not mix xmalloc/xfree of libreadline and bash by making the libreadline version weak symbols instead of private symbols - Add patch from upstream mailing list to avoids crash - Update bash 4.2 to patch level 37 + Attempting to redo (using `.') the vi editing mode `cc', `dd', or `yy' commands leads to an infinite loop. - Do not mask internal _rl symbols as internal as there are many tools out there which uses them (gdb as an example) - libreadlib: try to avoid to bind references of the symbols rl_instream and rl_outstream - libreadlib: make private symbols really private - Increase buffer for libreadline messsages if required - Include stdio.h in libreadline header files to get the declaration of FILES correct. - Update bash 4.2 to patch level 36 + Patch 25: When used in a shell function, `declare -g -a array=(compound assignment)' creates a local variable instead of a global one. + Patch 26: The `lastpipe' option does not behave correctly on machines where the open file limit is less than 256. + Patch 27: When the `extglob' shell option is enabled, pattern substitution does not work correctly in the presence of multibyte characters. + Patch 28: When using a word expansion for which the right hand side is evaluated, certain expansions of quoted null strings include spurious ^? characters. + Patch 29: Bash-4.2 tries to leave completed directory names as the user typed them, without expanding them to a full pathname. One effect of this is that shell variables used in pathnames being completed (e.g., $HOME) are left unchanged, but the `$' is quoted by readline because it is a special character to the shell. + Patch 30: When attempting to glob strings in a multibyte locale, and those strings contain invalid multibyte characters that cause mbsnrtowcs to return 0, the globbing code loops infinitely. + Patch 31: A change between bash-4.1 and bash-4.2 to prevent the readline input hook from being called too frequently had the side effect of causing delays when reading pasted input on systems such as Mac OS X. This patch fixes those delays while retaining the bash-4.2 behavior. + Patch 32: Bash-4.2 has problems with DEL characters in the expanded value of variables used in the same quoted string as variables that expand to nothing. + Patch 33: Bash uses a static buffer when expanding the /dev/fd prefix for the test and conditional commands, among other uses, when it should use a dynamic buffer to avoid buffer overflow. + Patch 34: In bash-4.2, the history code would inappropriately add a semicolon to multi-line compound array assignments when adding them to the history. + Patch 35: When given a number of lines to read, `mapfile -n lines' reads one too many. + Patch 36: Bash-4.2 produces incorrect word splitting results when expanding double-quoted $@ in the same string as and adjacent to other variable expansions. The $@ should be split, the other expansions should not. - bnc#763591: Add patch to avoid double free or corruption due expanding number sequence with huge numbers. Patch will go upstream. Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2: zypper in -t patch openSUSE-2013-612 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2 (i586 x86_64): bash-4.2-51.13.1 bash-debuginfo-4.2-51.13.1 bash-debugsource-4.2-51.13.1 bash-devel-4.2-51.13.1 bash-loadables-4.2-51.13.1 bash-loadables-debuginfo-4.2-51.13.1 libreadline6-6.2-51.13.1 libreadline6-debuginfo-6.2-51.13.1 readline-devel-6.2-51.13.1 - openSUSE 12.2 (x86_64): bash-debuginfo-32bit-4.2-51.13.1 libreadline6-32bit-6.2-51.13.1 libreadline6-debuginfo-32bit-6.2-51.13.1 readline-devel-32bit-6.2-51.13.1 - openSUSE 12.2 (noarch): bash-doc-4.2-51.13.1 bash-lang-4.2-51.13.1 readline-doc-6.2-51.13.1 References: https://bugzilla.novell.com/382214 https://bugzilla.novell.com/763591 https://bugzilla.novell.com/793536 https://bugzilla.novell.com/804551 https://bugzilla.novell.com/806628 https://bugzilla.novell.com/820149 https://bugzilla.novell.com/828877