# HG changeset patch # User Pascal Bellard # Date 1412772775 -7200 # Node ID 121d29ca7ca8432e8550c4d35b6c9affc195bfbd # Parent 81115f71b92ffaaa3c76bd82d19f4cbd76f22e2c bash: apply *all* security fixes diff -r 81115f71b92f -r 121d29ca7ca8 bash/receipt --- a/bash/receipt Wed Oct 08 02:52:08 2014 +0300 +++ b/bash/receipt Wed Oct 08 14:52:55 2014 +0200 @@ -9,18 +9,30 @@ TARBALL="$PACKAGE-$VERSION.tar.gz" WEB_SITE="http://www.gnu.org/software/bash/" WGET_URL="$GNU_MIRROR/$PACKAGE/$TARBALL" +BASHCHECKURL="https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck" +BASHCHECK="$(basename $BASHCHECKURL)" +BASHPATCHES="$(for i in $(seq 1 53); do printf "bash${VERSION/./}-%03d " $i; done)" +EXTRA_SOURCE_FILES="$BASHCHECK $BASHPATCHES" DEPENDS="readline" -BUILD_DEPENDS="readline bison" +BUILD_DEPENDS="readline bison wget texinfo" + +patch_bash() +{ + for i in $BASHPATCHES ; do + [ -s "$SOURCES_REPOSITORY/$i" ] || + wget -O "$SOURCES_REPOSITORY/$i" \ + http://ftp.gnu.org/gnu/bash/bash-$VERSION-patches/$i + echo "Apply $i ..." + patch -p0 < $SOURCES_REPOSITORY/$i + done +} # Rules to compile & install the temporary toolchain. cook_tmp_toolchain() { cd $src - # CVE-2014-6271 - patch -p0 < $stuff/funcdef-import-4.2.patch - # CVE-2014-7169 - patch -p0 < $stuff/CVE-2014-7169.patch + patch_bash ./configure --without-bash-malloc && make && make install } @@ -30,8 +42,7 @@ { # Patch and then build. cd $src - # CVE-2014-6271 - patch -p0 < $stuff/funcdef-import-4.2.patch + patch_bash # Skip tests that can not run while cross-compiling. cat > config.cache << "EOF" ac_cv_func_mmap_fixed_mapped=yes @@ -58,6 +69,10 @@ make && # Bash doesn't care about DESTDIR in environnment variable. make DESTDIR=$DESTDIR install + [ -s "$SOURCES_REPOSITORY/$BASHCHECK" ] || + wget --no-check-certificate -O "$SOURCES_REPOSITORY/$BASHCHECK" $BASHCHECKURL + $DESTDIR/bin/bash $SOURCES_REPOSITORY/$BASHCHECK | tee bashcheck.log + grep Vulnerable bashcheck.log && echo "ERROR: Vulnerable" } # Rules to gen a SliTaz package suitable for Tazpkg.