From: Gustavo Zacarias Date: Sun, 28 Sep 2014 11:17:54 +0000 (-0300) Subject: bash: update to patchlevel 27 X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=0905e9826a2f17d5aadaf8bc6d1a6131f81d3f2f;p=buildroot.git bash: update to patchlevel 27 Patches 26 and 27 are refiniments/improved checks on the CVE. Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard --- diff --git a/package/bash/bash-001-patchlevel25.patch b/package/bash/bash-001-patchlevel25.patch deleted file mode 100644 index a8e86a3da7..0000000000 --- a/package/bash/bash-001-patchlevel25.patch +++ /dev/null @@ -1,925 +0,0 @@ -Update bash to patchlevel 25. -It's basically a single patch made out from -http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/ (bash43-001 to 025). -Fixes CVE-2014-6271: -Under certain circumstances, bash will execute user code while processing the -environment for exported function definitions. - -Signed-off-by: Gustavo Zacarias - -diff -Nura bash-4.3.orig/arrayfunc.c bash-4.3/arrayfunc.c ---- bash-4.3.orig/arrayfunc.c 2014-09-24 14:45:32.573985743 -0300 -+++ bash-4.3/arrayfunc.c 2014-09-24 14:45:48.858540124 -0300 -@@ -179,6 +179,7 @@ - array_insert (array_cell (entry), ind, newval); - FREE (newval); - -+ VUNSETATTR (entry, att_invisible); /* no longer invisible */ - return (entry); - } - -@@ -597,6 +598,11 @@ - if (assoc_p (var)) - { - val = expand_assignment_string_to_string (val, 0); -+ if (val == 0) -+ { -+ val = (char *)xmalloc (1); -+ val[0] = '\0'; /* like do_assignment_internal */ -+ } - free_val = 1; - } - -diff -Nura bash-4.3.orig/bashline.c bash-4.3/bashline.c ---- bash-4.3.orig/bashline.c 2014-09-24 14:45:32.574985778 -0300 -+++ bash-4.3/bashline.c 2014-09-24 14:45:48.851539885 -0300 -@@ -4167,9 +4167,16 @@ - int qc; - - qc = rl_dispatching ? rl_completion_quote_character : 0; -- dfn = bash_dequote_filename ((char *)text, qc); -+ /* If rl_completion_found_quote != 0, rl_completion_matches will call the -+ filename dequoting function, causing the directory name to be dequoted -+ twice. */ -+ if (rl_dispatching && rl_completion_found_quote == 0) -+ dfn = bash_dequote_filename ((char *)text, qc); -+ else -+ dfn = (char *)text; - m1 = rl_completion_matches (dfn, rl_filename_completion_function); -- free (dfn); -+ if (dfn != text) -+ free (dfn); - - if (m1 == 0 || m1[0] == 0) - return m1; -diff -Nura bash-4.3.orig/builtins/common.h bash-4.3/builtins/common.h ---- bash-4.3.orig/builtins/common.h 2014-09-24 14:45:32.630987683 -0300 -+++ bash-4.3/builtins/common.h 2014-09-24 14:45:48.878540805 -0300 -@@ -33,6 +33,8 @@ - #define SEVAL_RESETLINE 0x010 - #define SEVAL_PARSEONLY 0x020 - #define SEVAL_NOLONGJMP 0x040 -+#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ -+#define SEVAL_ONECMD 0x100 /* only allow a single command */ - - /* Flags for describe_command, shared between type.def and command.def */ - #define CDESC_ALL 0x001 /* type -a */ -diff -Nura bash-4.3.orig/builtins/evalstring.c bash-4.3/builtins/evalstring.c ---- bash-4.3.orig/builtins/evalstring.c 2014-09-24 14:45:32.631987717 -0300 -+++ bash-4.3/builtins/evalstring.c 2014-09-24 14:45:48.879540839 -0300 -@@ -308,6 +308,14 @@ - { - struct fd_bitmap *bitmap; - -+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) -+ { -+ internal_warning ("%s: ignoring function definition attempt", from_file); -+ should_jump_to_top_level = 0; -+ last_result = last_command_exit_value = EX_BADUSAGE; -+ break; -+ } -+ - bitmap = new_fd_bitmap (FD_BITMAP_SIZE); - begin_unwind_frame ("pe_dispose"); - add_unwind_protect (dispose_fd_bitmap, bitmap); -@@ -368,6 +376,9 @@ - dispose_command (command); - dispose_fd_bitmap (bitmap); - discard_unwind_frame ("pe_dispose"); -+ -+ if (flags & SEVAL_ONECMD) -+ break; - } - } - else -diff -Nura bash-4.3.orig/builtins/read.def bash-4.3/builtins/read.def ---- bash-4.3.orig/builtins/read.def 2014-09-24 14:45:32.631987717 -0300 -+++ bash-4.3/builtins/read.def 2014-09-24 14:45:48.860540192 -0300 -@@ -442,7 +442,10 @@ - add_unwind_protect (reset_alarm, (char *)NULL); - #if defined (READLINE) - if (edit) -- add_unwind_protect (reset_attempted_completion_function, (char *)NULL); -+ { -+ add_unwind_protect (reset_attempted_completion_function, (char *)NULL); -+ add_unwind_protect (bashline_reset_event_hook, (char *)NULL); -+ } - #endif - falarm (tmsec, tmusec); - } -@@ -1021,6 +1024,7 @@ - - old_attempted_completion_function = rl_attempted_completion_function; - rl_attempted_completion_function = (rl_completion_func_t *)NULL; -+ bashline_set_event_hook (); - if (itext) - { - old_startup_hook = rl_startup_hook; -@@ -1032,6 +1036,7 @@ - - rl_attempted_completion_function = old_attempted_completion_function; - old_attempted_completion_function = (rl_completion_func_t *)NULL; -+ bashline_reset_event_hook (); - - if (ret == 0) - return ret; -diff -Nura bash-4.3.orig/execute_cmd.c bash-4.3/execute_cmd.c ---- bash-4.3.orig/execute_cmd.c 2014-09-24 14:45:32.573985743 -0300 -+++ bash-4.3/execute_cmd.c 2014-09-24 14:45:48.870540532 -0300 -@@ -2409,7 +2409,16 @@ - #endif - lstdin = wait_for (lastpid); - #if defined (JOB_CONTROL) -- exec_result = job_exit_status (lastpipe_jid); -+ /* If wait_for removes the job from the jobs table, use result of last -+ command as pipeline's exit status as usual. The jobs list can get -+ frozen and unfrozen at inconvenient times if there are multiple pipelines -+ running simultaneously. */ -+ if (INVALID_JOB (lastpipe_jid) == 0) -+ exec_result = job_exit_status (lastpipe_jid); -+ else if (pipefail_opt) -+ exec_result = exec_result | lstdin; /* XXX */ -+ /* otherwise we use exec_result */ -+ - #endif - unfreeze_jobs_list (); - } -diff -Nura bash-4.3.orig/externs.h bash-4.3/externs.h ---- bash-4.3.orig/externs.h 2014-09-24 14:45:32.573985743 -0300 -+++ bash-4.3/externs.h 2014-09-24 14:45:48.837539409 -0300 -@@ -324,6 +324,7 @@ - extern char *sh_backslash_quote __P((char *, const char *, int)); - extern char *sh_backslash_quote_for_double_quotes __P((char *)); - extern int sh_contains_shell_metas __P((char *)); -+extern int sh_contains_quotes __P((char *)); - - /* declarations for functions defined in lib/sh/spell.c */ - extern int spname __P((char *, char *)); -diff -Nura bash-4.3.orig/jobs.c bash-4.3/jobs.c ---- bash-4.3.orig/jobs.c 2014-09-24 14:45:32.639987989 -0300 -+++ bash-4.3/jobs.c 2014-09-24 14:45:48.843539613 -0300 -@@ -3597,6 +3597,7 @@ - unwind_protect_int (jobs_list_frozen); - unwind_protect_pointer (the_pipeline); - unwind_protect_pointer (subst_assign_varlist); -+ unwind_protect_pointer (this_shell_builtin); - - /* We have to add the commands this way because they will be run - in reverse order of adding. We don't want maybe_set_sigchld_trap () -@@ -4374,7 +4375,7 @@ - void - end_job_control () - { -- if (interactive_shell) /* XXX - should it be interactive? */ -+ if (interactive_shell || job_control) /* XXX - should it be just job_control? */ - { - terminate_stopped_jobs (); - -diff -Nura bash-4.3.orig/lib/glob/glob.c bash-4.3/lib/glob/glob.c ---- bash-4.3.orig/lib/glob/glob.c 2014-09-24 14:45:32.652988432 -0300 -+++ bash-4.3/lib/glob/glob.c 2014-09-24 14:45:48.853539954 -0300 -@@ -123,6 +123,8 @@ - extern char *glob_patscan __P((char *, char *, int)); - extern wchar_t *glob_patscan_wc __P((wchar_t *, wchar_t *, int)); - -+extern char *glob_dirscan __P((char *, int)); -+ - /* Compile `glob_loop.c' for single-byte characters. */ - #define CHAR unsigned char - #define INT int -@@ -179,42 +181,53 @@ - char *pat, *dname; - int flags; - { -- char *pp, *pe, *t; -- int n, r; -+ char *pp, *pe, *t, *se; -+ int n, r, negate; - -+ negate = *pat == '!'; - pp = pat + 2; -- pe = pp + strlen (pp) - 1; /*(*/ -- if (*pe != ')') -+ se = pp + strlen (pp) - 1; /* end of string */ -+ pe = glob_patscan (pp, se, 0); /* end of extglob pattern (( */ -+ /* we should check for invalid extglob pattern here */ -+ if (pe == 0) - return 0; -- if ((t = strchr (pp, '|')) == 0) /* easy case first */ -+ -+ /* if pe != se we have more of the pattern at the end of the extglob -+ pattern. Check the easy case first ( */ -+ if (pe == se && *pe == ')' && (t = strchr (pp, '|')) == 0) - { - *pe = '\0'; -+#if defined (HANDLE_MULTIBYTE) -+ r = mbskipname (pp, dname, flags); -+#else - r = skipname (pp, dname, flags); /*(*/ -+#endif - *pe = ')'; - return r; - } -+ -+ /* check every subpattern */ - while (t = glob_patscan (pp, pe, '|')) - { - n = t[-1]; - t[-1] = '\0'; -+#if defined (HANDLE_MULTIBYTE) -+ r = mbskipname (pp, dname, flags); -+#else - r = skipname (pp, dname, flags); -+#endif - t[-1] = n; - if (r == 0) /* if any pattern says not skip, we don't skip */ - return r; - pp = t; - } /*(*/ - -- if (pp == pe) /* glob_patscan might find end of pattern */ -+ /* glob_patscan might find end of pattern */ -+ if (pp == se) - return r; - -- *pe = '\0'; --# if defined (HANDLE_MULTIBYTE) -- r = mbskipname (pp, dname, flags); /*(*/ --# else -- r = skipname (pp, dname, flags); /*(*/ --# endif -- *pe = ')'; -- return r; -+ /* but if it doesn't then we didn't match a leading dot */ -+ return 0; - } - #endif - -@@ -277,20 +290,23 @@ - int flags; - { - #if EXTENDED_GLOB -- wchar_t *pp, *pe, *t, n; -- int r; -+ wchar_t *pp, *pe, *t, n, *se; -+ int r, negate; - -+ negate = *pat == L'!'; - pp = pat + 2; -- pe = pp + wcslen (pp) - 1; /*(*/ -- if (*pe != L')') -- return 0; -- if ((t = wcschr (pp, L'|')) == 0) -+ se = pp + wcslen (pp) - 1; /*(*/ -+ pe = glob_patscan_wc (pp, se, 0); -+ -+ if (pe == se && *pe == ')' && (t = wcschr (pp, L'|')) == 0) - { - *pe = L'\0'; - r = wchkname (pp, dname); /*(*/ - *pe = L')'; - return r; - } -+ -+ /* check every subpattern */ - while (t = glob_patscan_wc (pp, pe, '|')) - { - n = t[-1]; -@@ -305,10 +321,8 @@ - if (pp == pe) /* glob_patscan_wc might find end of pattern */ - return r; - -- *pe = L'\0'; -- r = wchkname (pp, dname); /*(*/ -- *pe = L')'; -- return r; -+ /* but if it doesn't then we didn't match a leading dot */ -+ return 0; - #else - return (wchkname (pat, dname)); - #endif -@@ -1006,7 +1020,7 @@ - { - char **result; - unsigned int result_size; -- char *directory_name, *filename, *dname; -+ char *directory_name, *filename, *dname, *fn; - unsigned int directory_len; - int free_dirname; /* flag */ - int dflags; -@@ -1022,6 +1036,18 @@ - - /* Find the filename. */ - filename = strrchr (pathname, '/'); -+#if defined (EXTENDED_GLOB) -+ if (filename && extended_glob) -+ { -+ fn = glob_dirscan (pathname, '/'); -+#if DEBUG_MATCHING -+ if (fn != filename) -+ fprintf (stderr, "glob_filename: glob_dirscan: fn (%s) != filename (%s)\n", fn ? fn : "(null)", filename); -+#endif -+ filename = fn; -+ } -+#endif -+ - if (filename == NULL) - { - filename = pathname; -diff -Nura bash-4.3.orig/lib/glob/gmisc.c bash-4.3/lib/glob/gmisc.c ---- bash-4.3.orig/lib/glob/gmisc.c 2014-09-24 14:45:32.652988432 -0300 -+++ bash-4.3/lib/glob/gmisc.c 2014-09-24 14:45:48.854539988 -0300 -@@ -42,6 +42,8 @@ - #define WLPAREN L'(' - #define WRPAREN L')' - -+extern char *glob_patscan __P((char *, char *, int)); -+ - /* Return 1 of the first character of WSTRING could match the first - character of pattern WPAT. Wide character version. */ - int -@@ -210,6 +212,7 @@ - case '+': - case '!': - case '@': -+ case '?': - return (pat[1] == LPAREN); - default: - return 0; -@@ -374,3 +377,34 @@ - - return matlen; - } -+ -+/* Skip characters in PAT and return the final occurrence of DIRSEP. This -+ is only called when extended_glob is set, so we have to skip over extglob -+ patterns x(...) */ -+char * -+glob_dirscan (pat, dirsep) -+ char *pat; -+ int dirsep; -+{ -+ char *p, *d, *pe, *se; -+ -+ d = pe = se = 0; -+ for (p = pat; p && *p; p++) -+ { -+ if (extglob_pattern_p (p)) -+ { -+ if (se == 0) -+ se = p + strlen (p) - 1; -+ pe = glob_patscan (p + 2, se, 0); -+ if (pe == 0) -+ continue; -+ else if (*pe == 0) -+ break; -+ p = pe - 1; /* will do increment above */ -+ continue; -+ } -+ if (*p == dirsep) -+ d = p; -+ } -+ return d; -+} -diff -Nura bash-4.3.orig/lib/readline/display.c bash-4.3/lib/readline/display.c ---- bash-4.3.orig/lib/readline/display.c 2014-09-24 14:45:32.652988432 -0300 -+++ bash-4.3/lib/readline/display.c 2014-09-24 14:45:48.845539681 -0300 -@@ -1637,7 +1637,7 @@ - /* If we are changing the number of invisible characters in a line, and - the spot of first difference is before the end of the invisible chars, - lendiff needs to be adjusted. */ -- if (current_line == 0 && !_rl_horizontal_scroll_mode && -+ if (current_line == 0 && /* !_rl_horizontal_scroll_mode && */ - current_invis_chars != visible_wrap_offset) - { - if (MB_CUR_MAX > 1 && rl_byte_oriented == 0) -@@ -1825,8 +1825,13 @@ - else - _rl_last_c_pos += bytes_to_insert; - -+ /* XXX - we only want to do this if we are at the end of the line -+ so we move there with _rl_move_cursor_relative */ - if (_rl_horizontal_scroll_mode && ((oe-old) > (ne-new))) -- goto clear_rest_of_line; -+ { -+ _rl_move_cursor_relative (ne-new, new); -+ goto clear_rest_of_line; -+ } - } - } - /* Otherwise, print over the existing material. */ -@@ -2677,7 +2682,8 @@ - { - if (_rl_echoing_p) - { -- _rl_move_vert (_rl_vis_botlin); -+ if (_rl_vis_botlin > 0) /* minor optimization plus bug fix */ -+ _rl_move_vert (_rl_vis_botlin); - _rl_vis_botlin = 0; - fflush (rl_outstream); - rl_restart_output (1, 0); -diff -Nura bash-4.3.orig/lib/readline/input.c bash-4.3/lib/readline/input.c ---- bash-4.3.orig/lib/readline/input.c 2014-09-24 14:45:32.651988398 -0300 -+++ bash-4.3/lib/readline/input.c 2014-09-24 14:45:48.860540192 -0300 -@@ -534,8 +534,16 @@ - return (RL_ISSTATE (RL_STATE_READCMD) ? READERR : EOF); - else if (_rl_caught_signal == SIGHUP || _rl_caught_signal == SIGTERM) - return (RL_ISSTATE (RL_STATE_READCMD) ? READERR : EOF); -+ /* keyboard-generated signals of interest */ - else if (_rl_caught_signal == SIGINT || _rl_caught_signal == SIGQUIT) - RL_CHECK_SIGNALS (); -+ /* non-keyboard-generated signals of interest */ -+ else if (_rl_caught_signal == SIGALRM -+#if defined (SIGVTALRM) -+ || _rl_caught_signal == SIGVTALRM -+#endif -+ ) -+ RL_CHECK_SIGNALS (); - - if (rl_signal_event_hook) - (*rl_signal_event_hook) (); -diff -Nura bash-4.3.orig/lib/readline/misc.c bash-4.3/lib/readline/misc.c ---- bash-4.3.orig/lib/readline/misc.c 2014-09-24 14:45:32.652988432 -0300 -+++ bash-4.3/lib/readline/misc.c 2014-09-24 14:45:48.867540430 -0300 -@@ -461,6 +461,7 @@ - saved_undo_list = 0; - /* Set up rl_line_buffer and other variables from history entry */ - rl_replace_from_history (entry, 0); /* entry->line is now current */ -+ entry->data = 0; /* entry->data is now current undo list */ - /* Undo all changes to this history entry */ - while (rl_undo_list) - rl_do_undo (); -@@ -468,7 +469,6 @@ - the timestamp. */ - FREE (entry->line); - entry->line = savestring (rl_line_buffer); -- entry->data = 0; - } - entry = previous_history (); - } -diff -Nura bash-4.3.orig/lib/readline/readline.c bash-4.3/lib/readline/readline.c ---- bash-4.3.orig/lib/readline/readline.c 2014-09-24 14:45:32.652988432 -0300 -+++ bash-4.3/lib/readline/readline.c 2014-09-24 14:45:48.819538797 -0300 -@@ -744,7 +744,8 @@ - r = _rl_subseq_result (r, cxt->oldmap, cxt->okey, (cxt->flags & KSEQ_SUBSEQ)); - - RL_CHECK_SIGNALS (); -- if (r == 0) /* success! */ -+ /* We only treat values < 0 specially to simulate recursion. */ -+ if (r >= 0 || (r == -1 && (cxt->flags & KSEQ_SUBSEQ) == 0)) /* success! or failure! */ - { - _rl_keyseq_chain_dispose (); - RL_UNSETSTATE (RL_STATE_MULTIKEY); -@@ -964,7 +965,7 @@ - #if defined (VI_MODE) - if (rl_editing_mode == vi_mode && _rl_keymap == vi_movement_keymap && - key != ANYOTHERKEY && -- rl_key_sequence_length == 1 && /* XXX */ -+ _rl_dispatching_keymap == vi_movement_keymap && - _rl_vi_textmod_command (key)) - _rl_vi_set_last (key, rl_numeric_arg, rl_arg_sign); - #endif -diff -Nura bash-4.3.orig/lib/sh/shquote.c bash-4.3/lib/sh/shquote.c ---- bash-4.3.orig/lib/sh/shquote.c 2014-09-24 14:45:32.654988500 -0300 -+++ bash-4.3/lib/sh/shquote.c 2014-09-24 14:45:48.837539409 -0300 -@@ -311,3 +311,17 @@ - - return (0); - } -+ -+int -+sh_contains_quotes (string) -+ char *string; -+{ -+ char *s; -+ -+ for (s = string; s && *s; s++) -+ { -+ if (*s == '\'' || *s == '"' || *s == '\\') -+ return 1; -+ } -+ return 0; -+} -diff -Nura bash-4.3.orig/parse.y bash-4.3/parse.y ---- bash-4.3.orig/parse.y 2014-09-24 14:45:32.650988364 -0300 -+++ bash-4.3/parse.y 2014-09-24 14:45:48.863540294 -0300 -@@ -2424,7 +2424,7 @@ - not already end in an EOF character. */ - if (shell_input_line_terminator != EOF) - { -- if (shell_input_line_size < SIZE_MAX && shell_input_line_len > shell_input_line_size - 3) -+ if (shell_input_line_size < SIZE_MAX-3 && (shell_input_line_len+3 > shell_input_line_size)) - shell_input_line = (char *)xrealloc (shell_input_line, - 1 + (shell_input_line_size += 2)); - -@@ -2642,7 +2642,7 @@ - int r; - - r = 0; -- while (need_here_doc) -+ while (need_here_doc > 0) - { - parser_state |= PST_HEREDOC; - make_here_document (redir_stack[r++], line_number); -@@ -3398,7 +3398,7 @@ - within a double-quoted ${...} construct "an even number of - unescaped double-quotes or single-quotes, if any, shall occur." */ - /* This was changed in Austin Group Interp 221 */ -- if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'') -+ if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && dolbrace_state != DOLBRACE_QUOTE2 && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'') - continue; - - /* Could also check open == '`' if we want to parse grouping constructs -@@ -6075,6 +6075,7 @@ - - ps->expand_aliases = expand_aliases; - ps->echo_input_at_read = echo_input_at_read; -+ ps->need_here_doc = need_here_doc; - - ps->token = token; - ps->token_buffer_size = token_buffer_size; -@@ -6123,6 +6124,7 @@ - - expand_aliases = ps->expand_aliases; - echo_input_at_read = ps->echo_input_at_read; -+ need_here_doc = ps->need_here_doc; - - FREE (token); - token = ps->token; -diff -Nura bash-4.3.orig/patchlevel.h bash-4.3/patchlevel.h ---- bash-4.3.orig/patchlevel.h 2014-09-24 14:45:32.639987989 -0300 -+++ bash-4.3/patchlevel.h 2014-09-24 14:45:48.883540975 -0300 -@@ -25,6 +25,6 @@ - regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh - looks for to find the patch level (for the sccs version string). */ - --#define PATCHLEVEL 0 -+#define PATCHLEVEL 25 - - #endif /* _PATCHLEVEL_H_ */ -diff -Nura bash-4.3.orig/pcomplete.c bash-4.3/pcomplete.c ---- bash-4.3.orig/pcomplete.c 2014-09-24 14:45:32.637987921 -0300 -+++ bash-4.3/pcomplete.c 2014-09-24 14:45:48.838539443 -0300 -@@ -183,6 +183,7 @@ - - COMPSPEC *pcomp_curcs; - const char *pcomp_curcmd; -+const char *pcomp_curtxt; - - #ifdef DEBUG - /* Debugging code */ -@@ -753,6 +754,32 @@ - quoted strings. */ - dfn = (*rl_filename_dequoting_function) ((char *)text, rl_completion_quote_character); - } -+ /* Intended to solve a mismatched assumption by bash-completion. If -+ the text to be completed is empty, but bash-completion turns it into -+ a quoted string ('') assuming that this code will dequote it before -+ calling readline, do the dequoting. */ -+ else if (iscompgen && iscompleting && -+ pcomp_curtxt && *pcomp_curtxt == 0 && -+ text && (*text == '\'' || *text == '"') && text[1] == text[0] && text[2] == 0 && -+ rl_filename_dequoting_function) -+ dfn = (*rl_filename_dequoting_function) ((char *)text, rl_completion_quote_character); -+ /* Another mismatched assumption by bash-completion. If compgen is being -+ run as part of bash-completion, and the argument to compgen is not -+ the same as the word originally passed to the programmable completion -+ code, dequote the argument if it has quote characters. It's an -+ attempt to detect when bash-completion is quoting its filename -+ argument before calling compgen. */ -+ /* We could check whether gen_shell_function_matches is in the call -+ stack by checking whether the gen-shell-function-matches tag is in -+ the unwind-protect stack, but there's no function to do that yet. -+ We could simply check whether we're executing in a function by -+ checking variable_context, and may end up doing that. */ -+ else if (iscompgen && iscompleting && rl_filename_dequoting_function && -+ pcomp_curtxt && text && -+ STREQ (pcomp_curtxt, text) == 0 && -+ variable_context && -+ sh_contains_quotes (text)) /* guess */ -+ dfn = (*rl_filename_dequoting_function) ((char *)text, rl_completion_quote_character); - else - dfn = savestring (text); - } -@@ -1522,7 +1549,7 @@ - COMPSPEC **lastcs; - { - COMPSPEC *cs, *oldcs; -- const char *oldcmd; -+ const char *oldcmd, *oldtxt; - STRINGLIST *ret; - - cs = progcomp_search (ocmd); -@@ -1545,14 +1572,17 @@ - - oldcs = pcomp_curcs; - oldcmd = pcomp_curcmd; -+ oldtxt = pcomp_curtxt; - - pcomp_curcs = cs; - pcomp_curcmd = cmd; -+ pcomp_curtxt = word; - - ret = gen_compspec_completions (cs, cmd, word, start, end, foundp); - - pcomp_curcs = oldcs; - pcomp_curcmd = oldcmd; -+ pcomp_curtxt = oldtxt; - - /* We need to conditionally handle setting *retryp here */ - if (retryp) -diff -Nura bash-4.3.orig/shell.h bash-4.3/shell.h ---- bash-4.3.orig/shell.h 2014-09-24 14:45:32.573985743 -0300 -+++ bash-4.3/shell.h 2014-09-24 14:45:48.862540260 -0300 -@@ -168,7 +168,8 @@ - /* flags state affecting the parser */ - int expand_aliases; - int echo_input_at_read; -- -+ int need_here_doc; -+ - } sh_parser_state_t; - - typedef struct _sh_input_line_state_t { -diff -Nura bash-4.3.orig/subst.c bash-4.3/subst.c ---- bash-4.3.orig/subst.c 2014-09-24 14:45:32.640988023 -0300 -+++ bash-4.3/subst.c 2014-09-24 14:45:48.882540941 -0300 -@@ -1192,12 +1192,18 @@ - Start extracting at (SINDEX) as if we had just seen "<(". - Make (SINDEX) get the position of the matching ")". */ /*))*/ - char * --extract_process_subst (string, starter, sindex) -+extract_process_subst (string, starter, sindex, xflags) - char *string; - char *starter; - int *sindex; -+ int xflags; - { -+#if 0 - return (extract_delimited_string (string, sindex, starter, "(", ")", SX_COMMAND)); -+#else -+ xflags |= (no_longjmp_on_fatal_error ? SX_NOLONGJMP : 0); -+ return (xparse_dolparen (string, string+*sindex, sindex, xflags)); -+#endif - } - #endif /* PROCESS_SUBSTITUTION */ - -@@ -1785,7 +1791,7 @@ - si = i + 2; - if (string[si] == '\0') - CQ_RETURN(si); -- temp = extract_process_subst (string, (c == '<') ? "<(" : ">(", &si); -+ temp = extract_process_subst (string, (c == '<') ? "<(" : ">(", &si, 0); - free (temp); /* no SX_ALLOC here */ - i = si; - if (string[i] == '\0') -@@ -3248,8 +3254,10 @@ - if (w->word == 0 || w->word[0] == '\0') - return ((char *)NULL); - -+ expand_no_split_dollar_star = 1; - w->flags |= W_NOSPLIT2; - l = call_expand_word_internal (w, 0, 0, (int *)0, (int *)0); -+ expand_no_split_dollar_star = 0; - if (l) - { - if (special == 0) /* LHS */ -@@ -7366,7 +7374,13 @@ - } - - if (want_indir) -- tdesc = parameter_brace_expand_indir (name + 1, var_is_special, quoted, quoted_dollar_atp, contains_dollar_at); -+ { -+ tdesc = parameter_brace_expand_indir (name + 1, var_is_special, quoted, quoted_dollar_atp, contains_dollar_at); -+ /* Turn off the W_ARRAYIND flag because there is no way for this function -+ to return the index we're supposed to be using. */ -+ if (tdesc && tdesc->flags) -+ tdesc->flags &= ~W_ARRAYIND; -+ } - else - tdesc = parameter_brace_expand_word (name, var_is_special, quoted, PF_IGNUNBOUND|(pflags&(PF_NOSPLIT2|PF_ASSIGNRHS)), &ind); - -@@ -7847,6 +7861,10 @@ - We also want to make sure that splitting is done no matter what -- - according to POSIX.2, this expands to a list of the positional - parameters no matter what IFS is set to. */ -+ /* XXX - what to do when in a context where word splitting is not -+ performed? Even when IFS is not the default, posix seems to imply -+ that we behave like unquoted $* ? Maybe we should use PF_NOSPLIT2 -+ here. */ - temp = string_list_dollar_at (list, (pflags & PF_ASSIGNRHS) ? (quoted|Q_DOUBLE_QUOTES) : quoted); - - tflag |= W_DOLLARAT; -@@ -8029,7 +8047,9 @@ - - goto return0; - } -- else if (var = find_variable_last_nameref (temp1)) -+ else if (var && (invisible_p (var) || var_isset (var) == 0)) -+ temp = (char *)NULL; -+ else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0) - { - temp = nameref_cell (var); - #if defined (ARRAY_VARS) -@@ -8243,7 +8263,7 @@ - else - t_index = sindex + 1; /* skip past both '<' and LPAREN */ - -- temp1 = extract_process_subst (string, (c == '<') ? "<(" : ">(", &t_index); /*))*/ -+ temp1 = extract_process_subst (string, (c == '<') ? "<(" : ">(", &t_index, 0); /*))*/ - sindex = t_index; - - /* If the process substitution specification is `<()', we want to -@@ -8816,6 +8836,7 @@ - else - { - char *ifs_chars; -+ char *tstring; - - ifs_chars = (quoted_dollar_at || has_dollar_at) ? ifs_value : (char *)NULL; - -@@ -8830,11 +8851,36 @@ - regardless of what else has happened to IFS since the expansion. */ - if (split_on_spaces) - list = list_string (istring, " ", 1); /* XXX quoted == 1? */ -+ /* If we have $@ (has_dollar_at != 0) and we are in a context where we -+ don't want to split the result (W_NOSPLIT2), and we are not quoted, -+ we have already separated the arguments with the first character of -+ $IFS. In this case, we want to return a list with a single word -+ with the separator possibly replaced with a space (it's what other -+ shells seem to do). -+ quoted_dollar_at is internal to this function and is set if we are -+ passed an argument that is unquoted (quoted == 0) but we encounter a -+ double-quoted $@ while expanding it. */ -+ else if (has_dollar_at && quoted_dollar_at == 0 && ifs_chars && quoted == 0 && (word->flags & W_NOSPLIT2)) -+ { -+ /* Only split and rejoin if we have to */ -+ if (*ifs_chars && *ifs_chars != ' ') -+ { -+ list = list_string (istring, *ifs_chars ? ifs_chars : " ", 1); -+ tstring = string_list (list); -+ } -+ else -+ tstring = istring; -+ tword = make_bare_word (tstring); -+ if (tstring != istring) -+ free (tstring); -+ goto set_word_flags; -+ } - else if (has_dollar_at && ifs_chars) - list = list_string (istring, *ifs_chars ? ifs_chars : " ", 1); - else - { - tword = make_bare_word (istring); -+set_word_flags: - if ((quoted & (Q_DOUBLE_QUOTES|Q_HERE_DOCUMENT)) || (quoted_state == WHOLLY_QUOTED)) - tword->flags |= W_QUOTED; - if (word->flags & W_ASSIGNMENT) -diff -Nura bash-4.3.orig/subst.h bash-4.3/subst.h ---- bash-4.3.orig/subst.h 2014-09-24 14:45:32.655988534 -0300 -+++ bash-4.3/subst.h 2014-09-24 14:45:48.871540566 -0300 -@@ -82,7 +82,7 @@ - /* Extract the <( or >( construct in STRING, and return a new string. - Start extracting at (SINDEX) as if we had just seen "<(". - Make (SINDEX) get the position just after the matching ")". */ --extern char *extract_process_subst __P((char *, char *, int *)); -+extern char *extract_process_subst __P((char *, char *, int *, int)); - #endif /* PROCESS_SUBSTITUTION */ - - /* Extract the name of the variable to bind to from the assignment string. */ -diff -Nura bash-4.3.orig/test.c bash-4.3/test.c ---- bash-4.3.orig/test.c 2014-09-24 14:45:32.650988364 -0300 -+++ bash-4.3/test.c 2014-09-24 14:45:48.814538631 -0300 -@@ -646,8 +646,8 @@ - return (v && invisible_p (v) == 0 && var_isset (v) ? TRUE : FALSE); - - case 'R': -- v = find_variable (arg); -- return (v && invisible_p (v) == 0 && var_isset (v) && nameref_p (v) ? TRUE : FALSE); -+ v = find_variable_noref (arg); -+ return ((v && invisible_p (v) == 0 && var_isset (v) && nameref_p (v)) ? TRUE : FALSE); - } - - /* We can't actually get here, but this shuts up gcc. */ -@@ -723,6 +723,7 @@ - case 'o': case 'p': case 'r': case 's': case 't': - case 'u': case 'v': case 'w': case 'x': case 'z': - case 'G': case 'L': case 'O': case 'S': case 'N': -+ case 'R': - return (1); - } - -diff -Nura bash-4.3.orig/trap.c bash-4.3/trap.c ---- bash-4.3.orig/trap.c 2014-09-24 14:45:32.637987921 -0300 -+++ bash-4.3/trap.c 2014-09-24 14:45:48.815538661 -0300 -@@ -920,7 +920,8 @@ - subst_assign_varlist = 0; - - #if defined (JOB_CONTROL) -- save_pipeline (1); /* XXX only provides one save level */ -+ if (sig != DEBUG_TRAP) /* run_debug_trap does this */ -+ save_pipeline (1); /* XXX only provides one save level */ - #endif - - /* If we're in a function, make sure return longjmps come here, too. */ -@@ -940,7 +941,8 @@ - trap_exit_value = last_command_exit_value; - - #if defined (JOB_CONTROL) -- restore_pipeline (1); -+ if (sig != DEBUG_TRAP) /* run_debug_trap does this */ -+ restore_pipeline (1); - #endif - - subst_assign_varlist = save_subst_varlist; -diff -Nura bash-4.3.orig/variables.c bash-4.3/variables.c ---- bash-4.3.orig/variables.c 2014-09-24 14:45:32.632987751 -0300 -+++ bash-4.3/variables.c 2014-09-24 14:45:48.880540873 -0300 -@@ -358,13 +358,11 @@ - temp_string[char_index] = ' '; - strcpy (temp_string + char_index + 1, string); - -- if (posixly_correct == 0 || legal_identifier (name)) -- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); -- -- /* Ancient backwards compatibility. Old versions of bash exported -- functions like name()=() {...} */ -- if (name[char_index - 1] == ')' && name[char_index - 2] == '(') -- name[char_index - 2] = '\0'; -+ /* Don't import function names that are invalid identifiers from the -+ environment, though we still allow them to be defined as shell -+ variables. */ -+ if (legal_identifier (name)) -+ parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); - - if (temp_var = find_function (name)) - { -@@ -381,10 +379,6 @@ - last_command_exit_value = 1; - report_error (_("error importing function definition for `%s'"), name); - } -- -- /* ( */ -- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') -- name[char_index - 2] = '('; /* ) */ - } - #if defined (ARRAY_VARS) - # if ARRAY_EXPORT -@@ -2197,10 +2191,7 @@ - /* local foo; local foo; is a no-op. */ - old_var = find_variable (name); - if (old_var && local_p (old_var) && old_var->context == variable_context) -- { -- VUNSETATTR (old_var, att_invisible); /* XXX */ -- return (old_var); -- } -+ return (old_var); - - was_tmpvar = old_var && tempvar_p (old_var); - /* If we're making a local variable in a shell function, the temporary env -diff -Nura bash-4.3.orig/y.tab.c bash-4.3/y.tab.c ---- bash-4.3.orig/y.tab.c 2014-09-24 14:45:32.573985743 -0300 -+++ bash-4.3/y.tab.c 2014-09-24 14:45:48.865540362 -0300 -@@ -4736,7 +4736,7 @@ - not already end in an EOF character. */ - if (shell_input_line_terminator != EOF) - { -- if (shell_input_line_size < SIZE_MAX && shell_input_line_len > shell_input_line_size - 3) -+ if (shell_input_line_size < SIZE_MAX-3 && (shell_input_line_len+3 > shell_input_line_size)) - shell_input_line = (char *)xrealloc (shell_input_line, - 1 + (shell_input_line_size += 2)); - -@@ -4954,7 +4954,7 @@ - int r; - - r = 0; -- while (need_here_doc) -+ while (need_here_doc > 0) - { - parser_state |= PST_HEREDOC; - make_here_document (redir_stack[r++], line_number); -@@ -5710,7 +5710,7 @@ - within a double-quoted ${...} construct "an even number of - unescaped double-quotes or single-quotes, if any, shall occur." */ - /* This was changed in Austin Group Interp 221 */ -- if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'') -+ if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && dolbrace_state != DOLBRACE_QUOTE2 && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'') - continue; - - /* Could also check open == '`' if we want to parse grouping constructs -@@ -8387,6 +8387,7 @@ - - ps->expand_aliases = expand_aliases; - ps->echo_input_at_read = echo_input_at_read; -+ ps->need_here_doc = need_here_doc; - - ps->token = token; - ps->token_buffer_size = token_buffer_size; -@@ -8435,6 +8436,7 @@ - - expand_aliases = ps->expand_aliases; - echo_input_at_read = ps->echo_input_at_read; -+ need_here_doc = ps->need_here_doc; - - FREE (token); - token = ps->token; diff --git a/package/bash/bash-001-patchlevel27.patch b/package/bash/bash-001-patchlevel27.patch new file mode 100644 index 0000000000..69692376aa --- /dev/null +++ b/package/bash/bash-001-patchlevel27.patch @@ -0,0 +1,1072 @@ +Update bash to patchlevel 27. +It's basically a single patch made out from +http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/ (bash43-001 to 027). +Fixes CVE-2014-6271 (level 25): +Under certain circumstances, bash will execute user code while processing the +environment for exported function definitions. +Level 26-27 are refinements/improved fixes on CVE-2014-6271. + +Signed-off-by: Gustavo Zacarias + +diff -Nura bash-4.3/arrayfunc.c bash-4.3.pl27/arrayfunc.c +--- bash-4.3/arrayfunc.c 2013-08-02 17:19:59.000000000 -0300 ++++ bash-4.3.pl27/arrayfunc.c 2014-09-28 08:13:40.311842889 -0300 +@@ -179,6 +179,7 @@ + array_insert (array_cell (entry), ind, newval); + FREE (newval); + ++ VUNSETATTR (entry, att_invisible); /* no longer invisible */ + return (entry); + } + +@@ -597,6 +598,11 @@ + if (assoc_p (var)) + { + val = expand_assignment_string_to_string (val, 0); ++ if (val == 0) ++ { ++ val = (char *)xmalloc (1); ++ val[0] = '\0'; /* like do_assignment_internal */ ++ } + free_val = 1; + } + +diff -Nura bash-4.3/bashline.c bash-4.3.pl27/bashline.c +--- bash-4.3/bashline.c 2014-02-09 21:56:58.000000000 -0300 ++++ bash-4.3.pl27/bashline.c 2014-09-28 08:13:40.312842925 -0300 +@@ -4167,9 +4167,16 @@ + int qc; + + qc = rl_dispatching ? rl_completion_quote_character : 0; +- dfn = bash_dequote_filename ((char *)text, qc); ++ /* If rl_completion_found_quote != 0, rl_completion_matches will call the ++ filename dequoting function, causing the directory name to be dequoted ++ twice. */ ++ if (rl_dispatching && rl_completion_found_quote == 0) ++ dfn = bash_dequote_filename ((char *)text, qc); ++ else ++ dfn = (char *)text; + m1 = rl_completion_matches (dfn, rl_filename_completion_function); +- free (dfn); ++ if (dfn != text) ++ free (dfn); + + if (m1 == 0 || m1[0] == 0) + return m1; +diff -Nura bash-4.3/builtins/common.h bash-4.3.pl27/builtins/common.h +--- bash-4.3/builtins/common.h 2013-07-08 17:54:47.000000000 -0300 ++++ bash-4.3.pl27/builtins/common.h 2014-09-28 08:13:40.313842959 -0300 +@@ -33,6 +33,8 @@ + #define SEVAL_RESETLINE 0x010 + #define SEVAL_PARSEONLY 0x020 + #define SEVAL_NOLONGJMP 0x040 ++#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */ ++#define SEVAL_ONECMD 0x100 /* only allow a single command */ + + /* Flags for describe_command, shared between type.def and command.def */ + #define CDESC_ALL 0x001 /* type -a */ +diff -Nura bash-4.3/builtins/evalstring.c bash-4.3.pl27/builtins/evalstring.c +--- bash-4.3/builtins/evalstring.c 2014-02-11 11:42:10.000000000 -0300 ++++ bash-4.3.pl27/builtins/evalstring.c 2014-09-28 08:13:40.313842959 -0300 +@@ -308,6 +308,14 @@ + { + struct fd_bitmap *bitmap; + ++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def) ++ { ++ internal_warning ("%s: ignoring function definition attempt", from_file); ++ should_jump_to_top_level = 0; ++ last_result = last_command_exit_value = EX_BADUSAGE; ++ break; ++ } ++ + bitmap = new_fd_bitmap (FD_BITMAP_SIZE); + begin_unwind_frame ("pe_dispose"); + add_unwind_protect (dispose_fd_bitmap, bitmap); +@@ -368,6 +376,9 @@ + dispose_command (command); + dispose_fd_bitmap (bitmap); + discard_unwind_frame ("pe_dispose"); ++ ++ if (flags & SEVAL_ONECMD) ++ break; + } + } + else +diff -Nura bash-4.3/builtins/read.def bash-4.3.pl27/builtins/read.def +--- bash-4.3/builtins/read.def 2013-09-02 12:54:00.000000000 -0300 ++++ bash-4.3.pl27/builtins/read.def 2014-09-28 08:13:40.313842959 -0300 +@@ -442,7 +442,10 @@ + add_unwind_protect (reset_alarm, (char *)NULL); + #if defined (READLINE) + if (edit) +- add_unwind_protect (reset_attempted_completion_function, (char *)NULL); ++ { ++ add_unwind_protect (reset_attempted_completion_function, (char *)NULL); ++ add_unwind_protect (bashline_reset_event_hook, (char *)NULL); ++ } + #endif + falarm (tmsec, tmusec); + } +@@ -1021,6 +1024,7 @@ + + old_attempted_completion_function = rl_attempted_completion_function; + rl_attempted_completion_function = (rl_completion_func_t *)NULL; ++ bashline_set_event_hook (); + if (itext) + { + old_startup_hook = rl_startup_hook; +@@ -1032,6 +1036,7 @@ + + rl_attempted_completion_function = old_attempted_completion_function; + old_attempted_completion_function = (rl_completion_func_t *)NULL; ++ bashline_reset_event_hook (); + + if (ret == 0) + return ret; +diff -Nura bash-4.3/execute_cmd.c bash-4.3.pl27/execute_cmd.c +--- bash-4.3/execute_cmd.c 2014-01-31 12:54:52.000000000 -0300 ++++ bash-4.3.pl27/execute_cmd.c 2014-09-28 08:13:40.315843026 -0300 +@@ -2409,7 +2409,16 @@ + #endif + lstdin = wait_for (lastpid); + #if defined (JOB_CONTROL) +- exec_result = job_exit_status (lastpipe_jid); ++ /* If wait_for removes the job from the jobs table, use result of last ++ command as pipeline's exit status as usual. The jobs list can get ++ frozen and unfrozen at inconvenient times if there are multiple pipelines ++ running simultaneously. */ ++ if (INVALID_JOB (lastpipe_jid) == 0) ++ exec_result = job_exit_status (lastpipe_jid); ++ else if (pipefail_opt) ++ exec_result = exec_result | lstdin; /* XXX */ ++ /* otherwise we use exec_result */ ++ + #endif + unfreeze_jobs_list (); + } +diff -Nura bash-4.3/externs.h bash-4.3.pl27/externs.h +--- bash-4.3/externs.h 2014-01-02 16:58:20.000000000 -0300 ++++ bash-4.3.pl27/externs.h 2014-09-28 08:13:40.315843026 -0300 +@@ -324,6 +324,7 @@ + extern char *sh_backslash_quote __P((char *, const char *, int)); + extern char *sh_backslash_quote_for_double_quotes __P((char *)); + extern int sh_contains_shell_metas __P((char *)); ++extern int sh_contains_quotes __P((char *)); + + /* declarations for functions defined in lib/sh/spell.c */ + extern int spname __P((char *, char *)); +diff -Nura bash-4.3/jobs.c bash-4.3.pl27/jobs.c +--- bash-4.3/jobs.c 2014-01-10 11:05:34.000000000 -0300 ++++ bash-4.3.pl27/jobs.c 2014-09-28 08:13:40.316843059 -0300 +@@ -3597,6 +3597,7 @@ + unwind_protect_int (jobs_list_frozen); + unwind_protect_pointer (the_pipeline); + unwind_protect_pointer (subst_assign_varlist); ++ unwind_protect_pointer (this_shell_builtin); + + /* We have to add the commands this way because they will be run + in reverse order of adding. We don't want maybe_set_sigchld_trap () +@@ -4374,7 +4375,7 @@ + void + end_job_control () + { +- if (interactive_shell) /* XXX - should it be interactive? */ ++ if (interactive_shell || job_control) /* XXX - should it be just job_control? */ + { + terminate_stopped_jobs (); + +diff -Nura bash-4.3/lib/glob/glob.c bash-4.3.pl27/lib/glob/glob.c +--- bash-4.3/lib/glob/glob.c 2014-01-31 23:43:51.000000000 -0300 ++++ bash-4.3.pl27/lib/glob/glob.c 2014-09-28 08:13:40.317843093 -0300 +@@ -123,6 +123,8 @@ + extern char *glob_patscan __P((char *, char *, int)); + extern wchar_t *glob_patscan_wc __P((wchar_t *, wchar_t *, int)); + ++extern char *glob_dirscan __P((char *, int)); ++ + /* Compile `glob_loop.c' for single-byte characters. */ + #define CHAR unsigned char + #define INT int +@@ -179,42 +181,53 @@ + char *pat, *dname; + int flags; + { +- char *pp, *pe, *t; +- int n, r; ++ char *pp, *pe, *t, *se; ++ int n, r, negate; + ++ negate = *pat == '!'; + pp = pat + 2; +- pe = pp + strlen (pp) - 1; /*(*/ +- if (*pe != ')') ++ se = pp + strlen (pp) - 1; /* end of string */ ++ pe = glob_patscan (pp, se, 0); /* end of extglob pattern (( */ ++ /* we should check for invalid extglob pattern here */ ++ if (pe == 0) + return 0; +- if ((t = strchr (pp, '|')) == 0) /* easy case first */ ++ ++ /* if pe != se we have more of the pattern at the end of the extglob ++ pattern. Check the easy case first ( */ ++ if (pe == se && *pe == ')' && (t = strchr (pp, '|')) == 0) + { + *pe = '\0'; ++#if defined (HANDLE_MULTIBYTE) ++ r = mbskipname (pp, dname, flags); ++#else + r = skipname (pp, dname, flags); /*(*/ ++#endif + *pe = ')'; + return r; + } ++ ++ /* check every subpattern */ + while (t = glob_patscan (pp, pe, '|')) + { + n = t[-1]; + t[-1] = '\0'; ++#if defined (HANDLE_MULTIBYTE) ++ r = mbskipname (pp, dname, flags); ++#else + r = skipname (pp, dname, flags); ++#endif + t[-1] = n; + if (r == 0) /* if any pattern says not skip, we don't skip */ + return r; + pp = t; + } /*(*/ + +- if (pp == pe) /* glob_patscan might find end of pattern */ ++ /* glob_patscan might find end of pattern */ ++ if (pp == se) + return r; + +- *pe = '\0'; +-# if defined (HANDLE_MULTIBYTE) +- r = mbskipname (pp, dname, flags); /*(*/ +-# else +- r = skipname (pp, dname, flags); /*(*/ +-# endif +- *pe = ')'; +- return r; ++ /* but if it doesn't then we didn't match a leading dot */ ++ return 0; + } + #endif + +@@ -277,20 +290,23 @@ + int flags; + { + #if EXTENDED_GLOB +- wchar_t *pp, *pe, *t, n; +- int r; ++ wchar_t *pp, *pe, *t, n, *se; ++ int r, negate; + ++ negate = *pat == L'!'; + pp = pat + 2; +- pe = pp + wcslen (pp) - 1; /*(*/ +- if (*pe != L')') +- return 0; +- if ((t = wcschr (pp, L'|')) == 0) ++ se = pp + wcslen (pp) - 1; /*(*/ ++ pe = glob_patscan_wc (pp, se, 0); ++ ++ if (pe == se && *pe == ')' && (t = wcschr (pp, L'|')) == 0) + { + *pe = L'\0'; + r = wchkname (pp, dname); /*(*/ + *pe = L')'; + return r; + } ++ ++ /* check every subpattern */ + while (t = glob_patscan_wc (pp, pe, '|')) + { + n = t[-1]; +@@ -305,10 +321,8 @@ + if (pp == pe) /* glob_patscan_wc might find end of pattern */ + return r; + +- *pe = L'\0'; +- r = wchkname (pp, dname); /*(*/ +- *pe = L')'; +- return r; ++ /* but if it doesn't then we didn't match a leading dot */ ++ return 0; + #else + return (wchkname (pat, dname)); + #endif +@@ -1006,7 +1020,7 @@ + { + char **result; + unsigned int result_size; +- char *directory_name, *filename, *dname; ++ char *directory_name, *filename, *dname, *fn; + unsigned int directory_len; + int free_dirname; /* flag */ + int dflags; +@@ -1022,6 +1036,18 @@ + + /* Find the filename. */ + filename = strrchr (pathname, '/'); ++#if defined (EXTENDED_GLOB) ++ if (filename && extended_glob) ++ { ++ fn = glob_dirscan (pathname, '/'); ++#if DEBUG_MATCHING ++ if (fn != filename) ++ fprintf (stderr, "glob_filename: glob_dirscan: fn (%s) != filename (%s)\n", fn ? fn : "(null)", filename); ++#endif ++ filename = fn; ++ } ++#endif ++ + if (filename == NULL) + { + filename = pathname; +diff -Nura bash-4.3/lib/glob/gmisc.c bash-4.3.pl27/lib/glob/gmisc.c +--- bash-4.3/lib/glob/gmisc.c 2013-10-28 15:45:25.000000000 -0300 ++++ bash-4.3.pl27/lib/glob/gmisc.c 2014-09-28 08:13:40.317843093 -0300 +@@ -42,6 +42,8 @@ + #define WLPAREN L'(' + #define WRPAREN L')' + ++extern char *glob_patscan __P((char *, char *, int)); ++ + /* Return 1 of the first character of WSTRING could match the first + character of pattern WPAT. Wide character version. */ + int +@@ -210,6 +212,7 @@ + case '+': + case '!': + case '@': ++ case '?': + return (pat[1] == LPAREN); + default: + return 0; +@@ -374,3 +377,34 @@ + + return matlen; + } ++ ++/* Skip characters in PAT and return the final occurrence of DIRSEP. This ++ is only called when extended_glob is set, so we have to skip over extglob ++ patterns x(...) */ ++char * ++glob_dirscan (pat, dirsep) ++ char *pat; ++ int dirsep; ++{ ++ char *p, *d, *pe, *se; ++ ++ d = pe = se = 0; ++ for (p = pat; p && *p; p++) ++ { ++ if (extglob_pattern_p (p)) ++ { ++ if (se == 0) ++ se = p + strlen (p) - 1; ++ pe = glob_patscan (p + 2, se, 0); ++ if (pe == 0) ++ continue; ++ else if (*pe == 0) ++ break; ++ p = pe - 1; /* will do increment above */ ++ continue; ++ } ++ if (*p == dirsep) ++ d = p; ++ } ++ return d; ++} +diff -Nura bash-4.3/lib/readline/display.c bash-4.3.pl27/lib/readline/display.c +--- bash-4.3/lib/readline/display.c 2013-12-27 15:10:56.000000000 -0300 ++++ bash-4.3.pl27/lib/readline/display.c 2014-09-28 08:13:40.318843127 -0300 +@@ -1637,7 +1637,7 @@ + /* If we are changing the number of invisible characters in a line, and + the spot of first difference is before the end of the invisible chars, + lendiff needs to be adjusted. */ +- if (current_line == 0 && !_rl_horizontal_scroll_mode && ++ if (current_line == 0 && /* !_rl_horizontal_scroll_mode && */ + current_invis_chars != visible_wrap_offset) + { + if (MB_CUR_MAX > 1 && rl_byte_oriented == 0) +@@ -1825,8 +1825,13 @@ + else + _rl_last_c_pos += bytes_to_insert; + ++ /* XXX - we only want to do this if we are at the end of the line ++ so we move there with _rl_move_cursor_relative */ + if (_rl_horizontal_scroll_mode && ((oe-old) > (ne-new))) +- goto clear_rest_of_line; ++ { ++ _rl_move_cursor_relative (ne-new, new); ++ goto clear_rest_of_line; ++ } + } + } + /* Otherwise, print over the existing material. */ +@@ -2677,7 +2682,8 @@ + { + if (_rl_echoing_p) + { +- _rl_move_vert (_rl_vis_botlin); ++ if (_rl_vis_botlin > 0) /* minor optimization plus bug fix */ ++ _rl_move_vert (_rl_vis_botlin); + _rl_vis_botlin = 0; + fflush (rl_outstream); + rl_restart_output (1, 0); +diff -Nura bash-4.3/lib/readline/input.c bash-4.3.pl27/lib/readline/input.c +--- bash-4.3/lib/readline/input.c 2014-01-10 17:07:08.000000000 -0300 ++++ bash-4.3.pl27/lib/readline/input.c 2014-09-28 08:13:40.318843127 -0300 +@@ -534,8 +534,16 @@ + return (RL_ISSTATE (RL_STATE_READCMD) ? READERR : EOF); + else if (_rl_caught_signal == SIGHUP || _rl_caught_signal == SIGTERM) + return (RL_ISSTATE (RL_STATE_READCMD) ? READERR : EOF); ++ /* keyboard-generated signals of interest */ + else if (_rl_caught_signal == SIGINT || _rl_caught_signal == SIGQUIT) + RL_CHECK_SIGNALS (); ++ /* non-keyboard-generated signals of interest */ ++ else if (_rl_caught_signal == SIGALRM ++#if defined (SIGVTALRM) ++ || _rl_caught_signal == SIGVTALRM ++#endif ++ ) ++ RL_CHECK_SIGNALS (); + + if (rl_signal_event_hook) + (*rl_signal_event_hook) (); +diff -Nura bash-4.3/lib/readline/misc.c bash-4.3.pl27/lib/readline/misc.c +--- bash-4.3/lib/readline/misc.c 2012-09-01 19:03:11.000000000 -0300 ++++ bash-4.3.pl27/lib/readline/misc.c 2014-09-28 08:13:40.319843161 -0300 +@@ -461,6 +461,7 @@ + saved_undo_list = 0; + /* Set up rl_line_buffer and other variables from history entry */ + rl_replace_from_history (entry, 0); /* entry->line is now current */ ++ entry->data = 0; /* entry->data is now current undo list */ + /* Undo all changes to this history entry */ + while (rl_undo_list) + rl_do_undo (); +@@ -468,7 +469,6 @@ + the timestamp. */ + FREE (entry->line); + entry->line = savestring (rl_line_buffer); +- entry->data = 0; + } + entry = previous_history (); + } +diff -Nura bash-4.3/lib/readline/readline.c bash-4.3.pl27/lib/readline/readline.c +--- bash-4.3/lib/readline/readline.c 2013-10-28 15:58:06.000000000 -0300 ++++ bash-4.3.pl27/lib/readline/readline.c 2014-09-28 08:13:40.319843161 -0300 +@@ -744,7 +744,8 @@ + r = _rl_subseq_result (r, cxt->oldmap, cxt->okey, (cxt->flags & KSEQ_SUBSEQ)); + + RL_CHECK_SIGNALS (); +- if (r == 0) /* success! */ ++ /* We only treat values < 0 specially to simulate recursion. */ ++ if (r >= 0 || (r == -1 && (cxt->flags & KSEQ_SUBSEQ) == 0)) /* success! or failure! */ + { + _rl_keyseq_chain_dispose (); + RL_UNSETSTATE (RL_STATE_MULTIKEY); +@@ -964,7 +965,7 @@ + #if defined (VI_MODE) + if (rl_editing_mode == vi_mode && _rl_keymap == vi_movement_keymap && + key != ANYOTHERKEY && +- rl_key_sequence_length == 1 && /* XXX */ ++ _rl_dispatching_keymap == vi_movement_keymap && + _rl_vi_textmod_command (key)) + _rl_vi_set_last (key, rl_numeric_arg, rl_arg_sign); + #endif +diff -Nura bash-4.3/lib/sh/shquote.c bash-4.3.pl27/lib/sh/shquote.c +--- bash-4.3/lib/sh/shquote.c 2013-03-31 22:53:32.000000000 -0300 ++++ bash-4.3.pl27/lib/sh/shquote.c 2014-09-28 08:13:40.319843161 -0300 +@@ -311,3 +311,17 @@ + + return (0); + } ++ ++int ++sh_contains_quotes (string) ++ char *string; ++{ ++ char *s; ++ ++ for (s = string; s && *s; s++) ++ { ++ if (*s == '\'' || *s == '"' || *s == '\\') ++ return 1; ++ } ++ return 0; ++} +diff -Nura bash-4.3/parse.y bash-4.3.pl27/parse.y +--- bash-4.3/parse.y 2014-02-11 11:42:10.000000000 -0300 ++++ bash-4.3.pl27/parse.y 2014-09-28 08:14:06.094720199 -0300 +@@ -2424,7 +2424,7 @@ + not already end in an EOF character. */ + if (shell_input_line_terminator != EOF) + { +- if (shell_input_line_size < SIZE_MAX && shell_input_line_len > shell_input_line_size - 3) ++ if (shell_input_line_size < SIZE_MAX-3 && (shell_input_line_len+3 > shell_input_line_size)) + shell_input_line = (char *)xrealloc (shell_input_line, + 1 + (shell_input_line_size += 2)); + +@@ -2642,7 +2642,7 @@ + int r; + + r = 0; +- while (need_here_doc) ++ while (need_here_doc > 0) + { + parser_state |= PST_HEREDOC; + make_here_document (redir_stack[r++], line_number); +@@ -2953,6 +2953,8 @@ + FREE (word_desc_to_read); + word_desc_to_read = (WORD_DESC *)NULL; + ++ eol_ungetc_lookahead = 0; ++ + current_token = '\n'; /* XXX */ + last_read_token = '\n'; + token_to_read = '\n'; +@@ -3398,7 +3400,7 @@ + within a double-quoted ${...} construct "an even number of + unescaped double-quotes or single-quotes, if any, shall occur." */ + /* This was changed in Austin Group Interp 221 */ +- if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'') ++ if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && dolbrace_state != DOLBRACE_QUOTE2 && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'') + continue; + + /* Could also check open == '`' if we want to parse grouping constructs +@@ -6075,6 +6077,7 @@ + + ps->expand_aliases = expand_aliases; + ps->echo_input_at_read = echo_input_at_read; ++ ps->need_here_doc = need_here_doc; + + ps->token = token; + ps->token_buffer_size = token_buffer_size; +@@ -6123,6 +6126,7 @@ + + expand_aliases = ps->expand_aliases; + echo_input_at_read = ps->echo_input_at_read; ++ need_here_doc = ps->need_here_doc; + + FREE (token); + token = ps->token; +diff -Nura bash-4.3/patchlevel.h bash-4.3.pl27/patchlevel.h +--- bash-4.3/patchlevel.h 2012-12-29 12:47:57.000000000 -0300 ++++ bash-4.3.pl27/patchlevel.h 2014-09-28 08:14:07.486767564 -0300 +@@ -25,6 +25,6 @@ + regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh + looks for to find the patch level (for the sccs version string). */ + +-#define PATCHLEVEL 0 ++#define PATCHLEVEL 27 + + #endif /* _PATCHLEVEL_H_ */ +diff -Nura bash-4.3/pcomplete.c bash-4.3.pl27/pcomplete.c +--- bash-4.3/pcomplete.c 2013-08-26 16:23:45.000000000 -0300 ++++ bash-4.3.pl27/pcomplete.c 2014-09-28 08:13:40.321843229 -0300 +@@ -183,6 +183,7 @@ + + COMPSPEC *pcomp_curcs; + const char *pcomp_curcmd; ++const char *pcomp_curtxt; + + #ifdef DEBUG + /* Debugging code */ +@@ -753,6 +754,32 @@ + quoted strings. */ + dfn = (*rl_filename_dequoting_function) ((char *)text, rl_completion_quote_character); + } ++ /* Intended to solve a mismatched assumption by bash-completion. If ++ the text to be completed is empty, but bash-completion turns it into ++ a quoted string ('') assuming that this code will dequote it before ++ calling readline, do the dequoting. */ ++ else if (iscompgen && iscompleting && ++ pcomp_curtxt && *pcomp_curtxt == 0 && ++ text && (*text == '\'' || *text == '"') && text[1] == text[0] && text[2] == 0 && ++ rl_filename_dequoting_function) ++ dfn = (*rl_filename_dequoting_function) ((char *)text, rl_completion_quote_character); ++ /* Another mismatched assumption by bash-completion. If compgen is being ++ run as part of bash-completion, and the argument to compgen is not ++ the same as the word originally passed to the programmable completion ++ code, dequote the argument if it has quote characters. It's an ++ attempt to detect when bash-completion is quoting its filename ++ argument before calling compgen. */ ++ /* We could check whether gen_shell_function_matches is in the call ++ stack by checking whether the gen-shell-function-matches tag is in ++ the unwind-protect stack, but there's no function to do that yet. ++ We could simply check whether we're executing in a function by ++ checking variable_context, and may end up doing that. */ ++ else if (iscompgen && iscompleting && rl_filename_dequoting_function && ++ pcomp_curtxt && text && ++ STREQ (pcomp_curtxt, text) == 0 && ++ variable_context && ++ sh_contains_quotes (text)) /* guess */ ++ dfn = (*rl_filename_dequoting_function) ((char *)text, rl_completion_quote_character); + else + dfn = savestring (text); + } +@@ -1522,7 +1549,7 @@ + COMPSPEC **lastcs; + { + COMPSPEC *cs, *oldcs; +- const char *oldcmd; ++ const char *oldcmd, *oldtxt; + STRINGLIST *ret; + + cs = progcomp_search (ocmd); +@@ -1545,14 +1572,17 @@ + + oldcs = pcomp_curcs; + oldcmd = pcomp_curcmd; ++ oldtxt = pcomp_curtxt; + + pcomp_curcs = cs; + pcomp_curcmd = cmd; ++ pcomp_curtxt = word; + + ret = gen_compspec_completions (cs, cmd, word, start, end, foundp); + + pcomp_curcs = oldcs; + pcomp_curcmd = oldcmd; ++ pcomp_curtxt = oldtxt; + + /* We need to conditionally handle setting *retryp here */ + if (retryp) +diff -Nura bash-4.3/shell.h bash-4.3.pl27/shell.h +--- bash-4.3/shell.h 2012-12-25 23:11:01.000000000 -0300 ++++ bash-4.3.pl27/shell.h 2014-09-28 08:13:40.321843229 -0300 +@@ -168,7 +168,8 @@ + /* flags state affecting the parser */ + int expand_aliases; + int echo_input_at_read; +- ++ int need_here_doc; ++ + } sh_parser_state_t; + + typedef struct _sh_input_line_state_t { +diff -Nura bash-4.3/subst.c bash-4.3.pl27/subst.c +--- bash-4.3/subst.c 2014-01-23 18:26:37.000000000 -0300 ++++ bash-4.3.pl27/subst.c 2014-09-28 08:13:40.322843263 -0300 +@@ -1192,12 +1192,18 @@ + Start extracting at (SINDEX) as if we had just seen "<(". + Make (SINDEX) get the position of the matching ")". */ /*))*/ + char * +-extract_process_subst (string, starter, sindex) ++extract_process_subst (string, starter, sindex, xflags) + char *string; + char *starter; + int *sindex; ++ int xflags; + { ++#if 0 + return (extract_delimited_string (string, sindex, starter, "(", ")", SX_COMMAND)); ++#else ++ xflags |= (no_longjmp_on_fatal_error ? SX_NOLONGJMP : 0); ++ return (xparse_dolparen (string, string+*sindex, sindex, xflags)); ++#endif + } + #endif /* PROCESS_SUBSTITUTION */ + +@@ -1785,7 +1791,7 @@ + si = i + 2; + if (string[si] == '\0') + CQ_RETURN(si); +- temp = extract_process_subst (string, (c == '<') ? "<(" : ">(", &si); ++ temp = extract_process_subst (string, (c == '<') ? "<(" : ">(", &si, 0); + free (temp); /* no SX_ALLOC here */ + i = si; + if (string[i] == '\0') +@@ -3248,8 +3254,10 @@ + if (w->word == 0 || w->word[0] == '\0') + return ((char *)NULL); + ++ expand_no_split_dollar_star = 1; + w->flags |= W_NOSPLIT2; + l = call_expand_word_internal (w, 0, 0, (int *)0, (int *)0); ++ expand_no_split_dollar_star = 0; + if (l) + { + if (special == 0) /* LHS */ +@@ -7366,7 +7374,13 @@ + } + + if (want_indir) +- tdesc = parameter_brace_expand_indir (name + 1, var_is_special, quoted, quoted_dollar_atp, contains_dollar_at); ++ { ++ tdesc = parameter_brace_expand_indir (name + 1, var_is_special, quoted, quoted_dollar_atp, contains_dollar_at); ++ /* Turn off the W_ARRAYIND flag because there is no way for this function ++ to return the index we're supposed to be using. */ ++ if (tdesc && tdesc->flags) ++ tdesc->flags &= ~W_ARRAYIND; ++ } + else + tdesc = parameter_brace_expand_word (name, var_is_special, quoted, PF_IGNUNBOUND|(pflags&(PF_NOSPLIT2|PF_ASSIGNRHS)), &ind); + +@@ -7847,6 +7861,10 @@ + We also want to make sure that splitting is done no matter what -- + according to POSIX.2, this expands to a list of the positional + parameters no matter what IFS is set to. */ ++ /* XXX - what to do when in a context where word splitting is not ++ performed? Even when IFS is not the default, posix seems to imply ++ that we behave like unquoted $* ? Maybe we should use PF_NOSPLIT2 ++ here. */ + temp = string_list_dollar_at (list, (pflags & PF_ASSIGNRHS) ? (quoted|Q_DOUBLE_QUOTES) : quoted); + + tflag |= W_DOLLARAT; +@@ -8029,7 +8047,9 @@ + + goto return0; + } +- else if (var = find_variable_last_nameref (temp1)) ++ else if (var && (invisible_p (var) || var_isset (var) == 0)) ++ temp = (char *)NULL; ++ else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0) + { + temp = nameref_cell (var); + #if defined (ARRAY_VARS) +@@ -8243,7 +8263,7 @@ + else + t_index = sindex + 1; /* skip past both '<' and LPAREN */ + +- temp1 = extract_process_subst (string, (c == '<') ? "<(" : ">(", &t_index); /*))*/ ++ temp1 = extract_process_subst (string, (c == '<') ? "<(" : ">(", &t_index, 0); /*))*/ + sindex = t_index; + + /* If the process substitution specification is `<()', we want to +@@ -8816,6 +8836,7 @@ + else + { + char *ifs_chars; ++ char *tstring; + + ifs_chars = (quoted_dollar_at || has_dollar_at) ? ifs_value : (char *)NULL; + +@@ -8830,11 +8851,36 @@ + regardless of what else has happened to IFS since the expansion. */ + if (split_on_spaces) + list = list_string (istring, " ", 1); /* XXX quoted == 1? */ ++ /* If we have $@ (has_dollar_at != 0) and we are in a context where we ++ don't want to split the result (W_NOSPLIT2), and we are not quoted, ++ we have already separated the arguments with the first character of ++ $IFS. In this case, we want to return a list with a single word ++ with the separator possibly replaced with a space (it's what other ++ shells seem to do). ++ quoted_dollar_at is internal to this function and is set if we are ++ passed an argument that is unquoted (quoted == 0) but we encounter a ++ double-quoted $@ while expanding it. */ ++ else if (has_dollar_at && quoted_dollar_at == 0 && ifs_chars && quoted == 0 && (word->flags & W_NOSPLIT2)) ++ { ++ /* Only split and rejoin if we have to */ ++ if (*ifs_chars && *ifs_chars != ' ') ++ { ++ list = list_string (istring, *ifs_chars ? ifs_chars : " ", 1); ++ tstring = string_list (list); ++ } ++ else ++ tstring = istring; ++ tword = make_bare_word (tstring); ++ if (tstring != istring) ++ free (tstring); ++ goto set_word_flags; ++ } + else if (has_dollar_at && ifs_chars) + list = list_string (istring, *ifs_chars ? ifs_chars : " ", 1); + else + { + tword = make_bare_word (istring); ++set_word_flags: + if ((quoted & (Q_DOUBLE_QUOTES|Q_HERE_DOCUMENT)) || (quoted_state == WHOLLY_QUOTED)) + tword->flags |= W_QUOTED; + if (word->flags & W_ASSIGNMENT) +diff -Nura bash-4.3/subst.h bash-4.3.pl27/subst.h +--- bash-4.3/subst.h 2014-01-11 23:02:27.000000000 -0300 ++++ bash-4.3.pl27/subst.h 2014-09-28 08:13:40.322843263 -0300 +@@ -82,7 +82,7 @@ + /* Extract the <( or >( construct in STRING, and return a new string. + Start extracting at (SINDEX) as if we had just seen "<(". + Make (SINDEX) get the position just after the matching ")". */ +-extern char *extract_process_subst __P((char *, char *, int *)); ++extern char *extract_process_subst __P((char *, char *, int *, int)); + #endif /* PROCESS_SUBSTITUTION */ + + /* Extract the name of the variable to bind to from the assignment string. */ +diff -Nura bash-4.3/test.c bash-4.3.pl27/test.c +--- bash-4.3/test.c 2014-02-04 18:52:58.000000000 -0300 ++++ bash-4.3.pl27/test.c 2014-09-28 08:13:40.323843297 -0300 +@@ -646,8 +646,8 @@ + return (v && invisible_p (v) == 0 && var_isset (v) ? TRUE : FALSE); + + case 'R': +- v = find_variable (arg); +- return (v && invisible_p (v) == 0 && var_isset (v) && nameref_p (v) ? TRUE : FALSE); ++ v = find_variable_noref (arg); ++ return ((v && invisible_p (v) == 0 && var_isset (v) && nameref_p (v)) ? TRUE : FALSE); + } + + /* We can't actually get here, but this shuts up gcc. */ +@@ -723,6 +723,7 @@ + case 'o': case 'p': case 'r': case 's': case 't': + case 'u': case 'v': case 'w': case 'x': case 'z': + case 'G': case 'L': case 'O': case 'S': case 'N': ++ case 'R': + return (1); + } + +diff -Nura bash-4.3/trap.c bash-4.3.pl27/trap.c +--- bash-4.3/trap.c 2014-02-05 12:03:21.000000000 -0300 ++++ bash-4.3.pl27/trap.c 2014-09-28 08:13:40.323843297 -0300 +@@ -920,7 +920,8 @@ + subst_assign_varlist = 0; + + #if defined (JOB_CONTROL) +- save_pipeline (1); /* XXX only provides one save level */ ++ if (sig != DEBUG_TRAP) /* run_debug_trap does this */ ++ save_pipeline (1); /* XXX only provides one save level */ + #endif + + /* If we're in a function, make sure return longjmps come here, too. */ +@@ -940,7 +941,8 @@ + trap_exit_value = last_command_exit_value; + + #if defined (JOB_CONTROL) +- restore_pipeline (1); ++ if (sig != DEBUG_TRAP) /* run_debug_trap does this */ ++ restore_pipeline (1); + #endif + + subst_assign_varlist = save_subst_varlist; +diff -Nura bash-4.3/variables.c bash-4.3.pl27/variables.c +--- bash-4.3/variables.c 2014-02-14 13:55:12.000000000 -0300 ++++ bash-4.3.pl27/variables.c 2014-09-28 08:14:07.486767564 -0300 +@@ -83,6 +83,11 @@ + + #define ifsname(s) ((s)[0] == 'I' && (s)[1] == 'F' && (s)[2] == 'S' && (s)[3] == '\0') + ++#define BASHFUNC_PREFIX "BASH_FUNC_" ++#define BASHFUNC_PREFLEN 10 /* == strlen(BASHFUNC_PREFIX */ ++#define BASHFUNC_SUFFIX "%%" ++#define BASHFUNC_SUFFLEN 2 /* == strlen(BASHFUNC_SUFFIX) */ ++ + extern char **environ; + + /* Variables used here and defined in other files. */ +@@ -279,7 +284,7 @@ + static void propagate_temp_var __P((PTR_T)); + static void dispose_temporary_env __P((sh_free_func_t *)); + +-static inline char *mk_env_string __P((const char *, const char *)); ++static inline char *mk_env_string __P((const char *, const char *, int)); + static char **make_env_array_from_var_list __P((SHELL_VAR **)); + static char **make_var_export_array __P((VAR_CONTEXT *)); + static char **make_func_export_array __P((void)); +@@ -349,24 +354,33 @@ + + /* If exported function, define it now. Don't import functions from + the environment in privileged mode. */ +- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4)) ++ if (privmode == 0 && read_but_dont_execute == 0 && ++ STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) && ++ STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) && ++ STREQN ("() {", string, 4)) + { +- string_length = strlen (string); +- temp_string = (char *)xmalloc (3 + string_length + char_index); ++ size_t namelen; ++ char *tname; /* desired imported function name */ + +- strcpy (temp_string, name); +- temp_string[char_index] = ' '; +- strcpy (temp_string + char_index + 1, string); ++ namelen = char_index - BASHFUNC_PREFLEN - BASHFUNC_SUFFLEN; + +- if (posixly_correct == 0 || legal_identifier (name)) +- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); ++ tname = name + BASHFUNC_PREFLEN; /* start of func name */ ++ tname[namelen] = '\0'; /* now tname == func name */ ++ ++ string_length = strlen (string); ++ temp_string = (char *)xmalloc (namelen + string_length + 2); + +- /* Ancient backwards compatibility. Old versions of bash exported +- functions like name()=() {...} */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '(') +- name[char_index - 2] = '\0'; ++ memcpy (temp_string, tname, namelen); ++ temp_string[namelen] = ' '; ++ memcpy (temp_string + namelen + 1, string, string_length + 1); ++ ++ /* Don't import function names that are invalid identifiers from the ++ environment, though we still allow them to be defined as shell ++ variables. */ ++ if (absolute_program (tname) == 0 && (posixly_correct == 0 || legal_identifier (tname))) ++ parse_and_execute (temp_string, tname, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD); + +- if (temp_var = find_function (name)) ++ if (temp_var = find_function (tname)) + { + VSETATTR (temp_var, (att_exported|att_imported)); + array_needs_making = 1; +@@ -379,12 +393,11 @@ + array_needs_making = 1; + } + last_command_exit_value = 1; +- report_error (_("error importing function definition for `%s'"), name); ++ report_error (_("error importing function definition for `%s'"), tname); + } + +- /* ( */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') +- name[char_index - 2] = '('; /* ) */ ++ /* Restore original suffix */ ++ tname[namelen] = BASHFUNC_SUFFIX[0]; + } + #if defined (ARRAY_VARS) + # if ARRAY_EXPORT +@@ -2197,10 +2210,7 @@ + /* local foo; local foo; is a no-op. */ + old_var = find_variable (name); + if (old_var && local_p (old_var) && old_var->context == variable_context) +- { +- VUNSETATTR (old_var, att_invisible); /* XXX */ +- return (old_var); +- } ++ return (old_var); + + was_tmpvar = old_var && tempvar_p (old_var); + /* If we're making a local variable in a shell function, the temporary env +@@ -2963,7 +2973,7 @@ + var->context = variable_context; /* XXX */ + + INVALIDATE_EXPORTSTR (var); +- var->exportstr = mk_env_string (name, value); ++ var->exportstr = mk_env_string (name, value, 0); + + array_needs_making = 1; + +@@ -3861,21 +3871,42 @@ + /* **************************************************************** */ + + static inline char * +-mk_env_string (name, value) ++mk_env_string (name, value, isfunc) + const char *name, *value; ++ int isfunc; + { +- int name_len, value_len; +- char *p; ++ size_t name_len, value_len; ++ char *p, *q; + + name_len = strlen (name); + value_len = STRLEN (value); +- p = (char *)xmalloc (2 + name_len + value_len); +- strcpy (p, name); +- p[name_len] = '='; ++ ++ /* If we are exporting a shell function, construct the encoded function ++ name. */ ++ if (isfunc && value) ++ { ++ p = (char *)xmalloc (BASHFUNC_PREFLEN + name_len + BASHFUNC_SUFFLEN + value_len + 2); ++ q = p; ++ memcpy (q, BASHFUNC_PREFIX, BASHFUNC_PREFLEN); ++ q += BASHFUNC_PREFLEN; ++ memcpy (q, name, name_len); ++ q += name_len; ++ memcpy (q, BASHFUNC_SUFFIX, BASHFUNC_SUFFLEN); ++ q += BASHFUNC_SUFFLEN; ++ } ++ else ++ { ++ p = (char *)xmalloc (2 + name_len + value_len); ++ memcpy (p, name, name_len); ++ q = p + name_len; ++ } ++ ++ q[0] = '='; + if (value && *value) +- strcpy (p + name_len + 1, value); ++ memcpy (q + 1, value, value_len + 1); + else +- p[name_len + 1] = '\0'; ++ q[1] = '\0'; ++ + return (p); + } + +@@ -3961,7 +3992,7 @@ + /* Gee, I'd like to get away with not using savestring() if we're + using the cached exportstr... */ + list[list_index] = USE_EXPORTSTR ? savestring (value) +- : mk_env_string (var->name, value); ++ : mk_env_string (var->name, value, function_p (var)); + + if (USE_EXPORTSTR == 0) + SAVE_EXPORTSTR (var, list[list_index]); +diff -Nura bash-4.3/y.tab.c bash-4.3.pl27/y.tab.c +--- bash-4.3/y.tab.c 2014-02-11 12:57:47.000000000 -0300 ++++ bash-4.3.pl27/y.tab.c 2014-09-28 08:14:06.096720267 -0300 +@@ -4736,7 +4736,7 @@ + not already end in an EOF character. */ + if (shell_input_line_terminator != EOF) + { +- if (shell_input_line_size < SIZE_MAX && shell_input_line_len > shell_input_line_size - 3) ++ if (shell_input_line_size < SIZE_MAX-3 && (shell_input_line_len+3 > shell_input_line_size)) + shell_input_line = (char *)xrealloc (shell_input_line, + 1 + (shell_input_line_size += 2)); + +@@ -4954,7 +4954,7 @@ + int r; + + r = 0; +- while (need_here_doc) ++ while (need_here_doc > 0) + { + parser_state |= PST_HEREDOC; + make_here_document (redir_stack[r++], line_number); +@@ -5265,6 +5265,8 @@ + FREE (word_desc_to_read); + word_desc_to_read = (WORD_DESC *)NULL; + ++ eol_ungetc_lookahead = 0; ++ + current_token = '\n'; /* XXX */ + last_read_token = '\n'; + token_to_read = '\n'; +@@ -5710,7 +5712,7 @@ + within a double-quoted ${...} construct "an even number of + unescaped double-quotes or single-quotes, if any, shall occur." */ + /* This was changed in Austin Group Interp 221 */ +- if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'') ++ if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && dolbrace_state != DOLBRACE_QUOTE2 && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'') + continue; + + /* Could also check open == '`' if we want to parse grouping constructs +@@ -8387,6 +8389,7 @@ + + ps->expand_aliases = expand_aliases; + ps->echo_input_at_read = echo_input_at_read; ++ ps->need_here_doc = need_here_doc; + + ps->token = token; + ps->token_buffer_size = token_buffer_size; +@@ -8435,6 +8438,7 @@ + + expand_aliases = ps->expand_aliases; + echo_input_at_read = ps->echo_input_at_read; ++ need_here_doc = ps->need_here_doc; + + FREE (token); + token = ps->token; +@@ -8537,4 +8541,3 @@ + } + } + #endif /* HANDLE_MULTIBYTE */ +-