bash: security bump to version 4.2 pl37

			     BASH PATCH REPORT

			     =================

Bash-Release:	4.2

Patch-ID:	bash42-021

Bug-Reported-by:	Dan Douglas <ormaaj@gmail.com>

Bug-Reference-ID:	<4585554.nZWb4q7YoZ@smorgbox>

Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2011-12/msg00084.html

Bug-Description:

Using `read -N' to assign values to an array can result in NUL values being

assigned to some array elements.  These values cause seg faults when referenced

later.

Patch (apply with `patch -p0'):

*** ../bash-4.2-patched/builtins/read.def	2011-11-21 18:03:38.000000000 -0500

--- ./builtins/read.def	2011-12-19 19:52:12.000000000 -0500

***************

*** 738,742 ****

  	    }

  	  else

! 	    var = bind_read_variable (varname, t);

  	}

        else

--- 775,779 ----

  	    }

  	  else

! 	    var = bind_read_variable (varname, t ? t : "");

  	}

        else

***************

*** 799,803 ****

      }

    else

!     var = bind_read_variable (list->word->word, input_string);

    if (var)

--- 836,840 ----

      }

    else

!     var = bind_read_variable (list->word->word, input_string ? input_string : "");

    if (var)

*** ../bash-4.2-patched/patchlevel.h	Sat Jun 12 20:14:48 2010

--- ./patchlevel.h	Thu Feb 24 21:41:34 2011

***************

*** 26,30 ****

     looks for to find the patch level (for the sccs version string). */

! #define PATCHLEVEL 20

  #endif /* _PATCHLEVEL_H_ */

--- 26,30 ----

     looks for to find the patch level (for the sccs version string). */

! #define PATCHLEVEL 21

  #endif /* _PATCHLEVEL_H_ */

			     BASH PATCH REPORT

			     =================

Bash-Release:	4.2

Patch-ID:	bash42-022

Bug-Reported-by:	Gregory Margo <gmargo@pacbell.net>

Bug-Reference-ID:	<20110727174529.GA3333@pacbell.net>

Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2011-07/msg00102.html

Bug-Description:

The return value from lseek is `off_t'.  This can cause corrupted return

values when the file offset is greater than 2**31 - 1.

Patch (apply with `patch -p0'):

*** ../bash-4.2-patched/lib/sh/zread.c	Mon Mar  2 08:54:45 2009

--- ./lib/sh/zread.c	Thu Jul 28 18:16:53 2011

***************

*** 161,166 ****

       int fd;

  {

!   off_t off;

!   int r;

    off = lused - lind;

--- 161,165 ----

       int fd;

  {

!   off_t off, r;

    off = lused - lind;

***************

*** 169,173 ****

      r = lseek (fd, -off, SEEK_CUR);

!   if (r >= 0)

      lused = lind = 0;

  }

--- 168,172 ----

      r = lseek (fd, -off, SEEK_CUR);

!   if (r != -1)

      lused = lind = 0;

  }

*** ../bash-4.2-patched/patchlevel.h	Sat Jun 12 20:14:48 2010

--- ./patchlevel.h	Thu Feb 24 21:41:34 2011

***************

*** 26,30 ****

     looks for to find the patch level (for the sccs version string). */

! #define PATCHLEVEL 21

  #endif /* _PATCHLEVEL_H_ */

--- 26,30 ----

     looks for to find the patch level (for the sccs version string). */

! #define PATCHLEVEL 22

  #endif /* _PATCHLEVEL_H_ */

			     BASH PATCH REPORT

			     =================

Bash-Release:	4.2

Patch-ID:	bash42-023

Bug-Reported-by:	Ewan Mellor <Ewan.Mellor@eu.citrix.com>

Bug-Reference-ID:	<6005BE083BF501439A84DC3523BAC82DC4B964FD12@LONPMAILBOX01.citrite.net>

Bug-Reference-URL:	

Bug-Description:

Under some circumstances, an exit trap triggered by a bad substitution

error when errexit is enabled will cause the shell to exit with an

incorrect exit status (0).

Patch (apply with `patch -p0'):

*** ../bash-4.2-patched/subst.c	2011-11-21 12:04:38.000000000 -0500

--- ./subst.c	2012-02-08 13:36:28.000000000 -0500

***************

*** 7275,7278 ****

--- 7281,7285 ----

      case '\0':

      bad_substitution:

+       last_command_exit_value = EXECUTION_FAILURE;

        report_error (_("%s: bad substitution"), string ? string : "??");

        FREE (value);

*** ../bash-4.2-patched/error.c	2009-08-21 22:31:31.000000000 -0400

--- ./error.c	2012-02-25 15:54:40.000000000 -0500

***************

*** 201,205 ****

    va_end (args);

    if (exit_immediately_on_error)

!     exit_shell (1);

  }

--- 201,209 ----

    va_end (args);

    if (exit_immediately_on_error)

!     {

!       if (last_command_exit_value == 0)

! 	last_command_exit_value = 1;

!       exit_shell (last_command_exit_value);

!     }

  }

*** ../bash-4.2-patched/patchlevel.h	Sat Jun 12 20:14:48 2010

--- ./patchlevel.h	Thu Feb 24 21:41:34 2011

***************

*** 26,30 ****

     looks for to find the patch level (for the sccs version string). */

! #define PATCHLEVEL 22

  #endif /* _PATCHLEVEL_H_ */

--- 26,30 ----

     looks for to find the patch level (for the sccs version string). */

! #define PATCHLEVEL 23

  #endif /* _PATCHLEVEL_H_ */

			     BASH PATCH REPORT

			     =================

Bash-Release:	4.2

Patch-ID:	bash42-024

Bug-Reported-by:	Jim Avera <james_avera@yahoo.com>

Bug-Reference-ID:	<4F29E07A.80405@yahoo.com>

Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2012-02/msg00001.html

Bug-Description:

When `printf -v' is used to set an array element, the format string contains

`%b', and the corresponding argument is the empty string, the buffer used

to store the value to be assigned can be NULL, which results in NUL being

assigned to the array element.  This causes a seg fault when it's used later.

Patch (apply with `patch -p0'):

*** ../bash-4.2-patched/builtins/printf.def	2011-02-25 12:07:41.000000000 -0500

--- ./builtins/printf.def	2012-02-02 08:37:12.000000000 -0500

***************

*** 256,259 ****

--- 257,262 ----

  	    {

  	      vflag = 1;

+ 	      if (vbsize == 0)

+ 		vbuf = xmalloc (vbsize = 16);

  	      vblen = 0;

  	      if (vbuf)

*** ../bash-4.2-patched/patchlevel.h	Sat Jun 12 20:14:48 2010

--- ./patchlevel.h	Thu Feb 24 21:41:34 2011

***************

*** 26,30 ****

     looks for to find the patch level (for the sccs version string). */

! #define PATCHLEVEL 23

  #endif /* _PATCHLEVEL_H_ */

--- 26,30 ----

     looks for to find the patch level (for the sccs version string). */

! #define PATCHLEVEL 24

  #endif /* _PATCHLEVEL_H_ */

			     BASH PATCH REPORT

			     =================

Bash-Release:	4.2

Patch-ID:	bash42-025

Bug-Reported-by:	Bill Gradwohl <bill@ycc.com>

Bug-Reference-ID:	<CAFyvKis-UfuOWr5THBRKh=vYHDoKEEgdW8hN1RviTuYQ00Lu5A@mail.gmail.com>

Bug-Reference-URL:	http://lists.gnu.org/archive/html/help-bash/2012-03/msg00078.html

Bug-Description:

When used in a shell function, `declare -g -a array=(compound assignment)'

creates a local variable instead of a global one.

Patch (apply with `patch -p0'):

*** ../bash-4.2-patched/command.h	2010-08-02 19:36:51.000000000 -0400

--- ./command.h	2012-04-01 12:38:35.000000000 -0400

***************

*** 98,101 ****

--- 98,102 ----

  #define W_ASSIGNASSOC	0x400000	/* word looks like associative array assignment */

  #define W_ARRAYIND	0x800000	/* word is an array index being expanded */

+ #define W_ASSNGLOBAL	0x1000000	/* word is a global assignment to declare (declare/typeset -g) */

  /* Possible values for subshell_environment */

*** ../bash-4.2-patched/execute_cmd.c	2011-11-21 18:03:41.000000000 -0500

--- ./execute_cmd.c	2012-04-01 12:42:03.000000000 -0400

***************

*** 3581,3585 ****

    WORD_LIST *w;

    struct builtin *b;

!   int assoc;

    if (words == 0)

--- 3581,3585 ----

    WORD_LIST *w;

    struct builtin *b;

!   int assoc, global;

    if (words == 0)

***************

*** 3587,3591 ****

    b = 0;

!   assoc = 0;

    for (w = words; w; w = w->next)

--- 3587,3591 ----

    b = 0;

!   assoc = global = 0;

    for (w = words; w; w = w->next)

***************

*** 3604,3607 ****

--- 3604,3609 ----

  	if (assoc)

  	  w->word->flags |= W_ASSIGNASSOC;

+ 	if (global)

+ 	  w->word->flags |= W_ASSNGLOBAL;

  #endif

        }

***************

*** 3609,3613 ****

      /* Note that we saw an associative array option to a builtin that takes

         assignment statements.  This is a bit of a kludge. */

!     else if (w->word->word[0] == '-' && strchr (w->word->word, 'A'))

        {

  	if (b == 0)

--- 3611,3618 ----

      /* Note that we saw an associative array option to a builtin that takes

         assignment statements.  This is a bit of a kludge. */

!     else if (w->word->word[0] == '-' && (strchr (w->word->word+1, 'A') || strchr (w->word->word+1, 'g')))

! #else

!     else if (w->word->word[0] == '-' && strchr (w->word->word+1, 'g'))

! #endif

        {

  	if (b == 0)

***************

*** 3619,3626 ****

  	      words->word->flags |= W_ASSNBLTIN;

  	  }

! 	if (words->word->flags & W_ASSNBLTIN)

  	  assoc = 1;

        }

- #endif

  }

--- 3624,3632 ----

  	      words->word->flags |= W_ASSNBLTIN;

  	  }

! 	if ((words->word->flags & W_ASSNBLTIN) && strchr (w->word->word+1, 'A'))

  	  assoc = 1;

+ 	if ((words->word->flags & W_ASSNBLTIN) && strchr (w->word->word+1, 'g'))

+ 	  global = 1;

        }

  }

*** ../bash-4.2-patched/subst.c	2012-03-11 17:35:13.000000000 -0400

--- ./subst.c	2012-04-01 12:38:35.000000000 -0400

***************

*** 367,370 ****

--- 367,375 ----

        fprintf (stderr, "W_ASSNBLTIN%s", f ? "|" : "");

      }

+   if (f & W_ASSNGLOBAL)

+     {

+       f &= ~W_ASSNGLOBAL;

+       fprintf (stderr, "W_ASSNGLOBAL%s", f ? "|" : "");

+     }

    if (f & W_COMPASSIGN)

      {

***************

*** 2804,2808 ****

    else if (assign_list)

      {

!       if (word->flags & W_ASSIGNARG)

  	aflags |= ASS_MKLOCAL;

        if (word->flags & W_ASSIGNASSOC)

--- 2809,2813 ----

    else if (assign_list)

      {

!       if ((word->flags & W_ASSIGNARG) && (word->flags & W_ASSNGLOBAL) == 0)

  	aflags |= ASS_MKLOCAL;

        if (word->flags & W_ASSIGNASSOC)

*** ../bash-4.2-patched/patchlevel.h	Sat Jun 12 20:14:48 2010

--- ./patchlevel.h	Thu Feb 24 21:41:34 2011

***************

*** 26,30 ****

     looks for to find the patch level (for the sccs version string). */

! #define PATCHLEVEL 24

  #endif /* _PATCHLEVEL_H_ */

--- 26,30 ----

     looks for to find the patch level (for the sccs version string). */

! #define PATCHLEVEL 25

  #endif /* _PATCHLEVEL_H_ */