# HG changeset patch # User Pascal Bellard # Date 1412772811 -7200 # Node ID 4d0702aaa4ad485b2d5e115d16fa91774fab09e2 # Parent 4acc6a6b8f4fddd3fa4a3bfe181667bdef2d6424 bash: apply *all* security fixes diff -r 4acc6a6b8f4f -r 4d0702aaa4ad bash/receipt --- a/bash/receipt Thu Oct 02 18:53:53 2014 +0200 +++ b/bash/receipt Wed Oct 08 14:53:31 2014 +0200 @@ -8,18 +8,30 @@ TARBALL="$PACKAGE-$VERSION.tar.gz" WEB_SITE="http://www.gnu.org/software/bash/" WGET_URL="$GNU_MIRROR/$PACKAGE/$TARBALL" +BASHCHECKURL="https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck" +BASHCHECK="$(basename $BASHCHECKURL)" +BASHPATCHES="$(for i in $(seq 1 53); do printf "bash${VERSION/./}-%03d " $i; done)" +EXTRA_SOURCE_FILES="$BASHCHECK $BASHPATCHES" DEPENDS="readline" -BUILD_DEPENDS="readline bison" +BUILD_DEPENDS="readline bison wget texinfo" + +patch_bash() +{ + for i in $BASHPATCHES ; do + [ -s "$SOURCES_REPOSITORY/$i" ] || + wget -O "$SOURCES_REPOSITORY/$i" \ + http://ftp.gnu.org/gnu/bash/bash-$VERSION-patches/$i + echo "Apply $i ..." + patch -p0 < $SOURCES_REPOSITORY/$i + done +} # Rules to compile & install the temporary toolchain. cook_tmp_toolchain() { cd $src - # CVE-2014-6271 - patch -p0 < $stuff/funcdef-import-4.2.patch - # CVE-2014-7169 - patch -p0 < $stuff/CVE-2014-7169.patch + patch_bash ./configure --without-bash-malloc && make && make install } @@ -29,8 +41,7 @@ { # Patch and then build. cd $src - # CVE-2014-6271 - patch -p0 < $stuff/funcdef-import-4.2.patch + patch_bash # Skip tests that can not run while cross-compiling. cat > config.cache << "EOF" ac_cv_func_mmap_fixed_mapped=yes @@ -57,6 +68,10 @@ make && # Bash doesn't care about DESTDIR in environnment variable. make DESTDIR=$DESTDIR install + [ -s "$SOURCES_REPOSITORY/$BASHCHECK" ] || + wget --no-check-certificate -O "$SOURCES_REPOSITORY/$BASHCHECK" $BASHCHECKURL + $DESTDIR/bin/bash $SOURCES_REPOSITORY/$BASHCHECK | tee bashcheck.log + grep Vulnerable bashcheck.log && echo "ERROR: Vulnerable" } # Rules to gen a SliTaz package suitable for Tazpkg.