X-Original-To: alpine-aports@lists.alpinelinux.org
Received: from mail-lf0-f54.google.com (mail-lf0-f54.google.com [209.85.215.54])
	by lists.alpinelinux.org (Postfix) with ESMTP id 8A3495C4542
	for <alpine-aports@lists.alpinelinux.org>; Tue,  6 Dec 2016 08:42:43 +0000 (GMT)
Received: by mail-lf0-f54.google.com with SMTP id o141so240133207lff.1
        for <alpine-aports@lists.alpinelinux.org>; Tue, 06 Dec 2016 00:42:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=from:to:cc:subject:date:message-id;
        bh=esfkH98v9LFQ58vzbRQE4j3kUmDqBxxyUJGqgTAnU9Y=;
        b=Io6+zzk2NRgYmicqllGqWplum4of7hrlOthjmqd/d/8ReMKAtk8UzoFiVaZkLcWYBH
         fJ3yTHftwXHD378sJtPTRPd1/NcYfKzBky8DB3QKrP8COQj/UGexwS5VsfQBwXe5mpf9
         EXUZ+5rI+EBwixxMdaHtbyVTN7BI8AjttH57HBvrdxyOHXOgnSZc5GdUd/lvOHg+7zbb
         /qN4HxMVHpvOxvX4VSFuoLnUGwBp+md4xWX83BDuqsAeQFyxtonUCIXHvykRa7F+h+mS
         3B4p+qjgs2vgZ1BhhoqxpLYHJVcrhsumFGeHhUdZbQ2tDsam3sOUSVfZTNBE++SxdVoS
         S73Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=esfkH98v9LFQ58vzbRQE4j3kUmDqBxxyUJGqgTAnU9Y=;
        b=VKTLCZ7k11du1AFpOqaJxsuMEQIDO1Y7Uo1bqPyqm5jBCMaG0sLK4R8O6veAvMOgA7
         uVDwgmQn9javIHqD0smpriuYesISwpcVIDsZf8yX4o6YWRvxTeTB3SWz6b0djljJAT6v
         2hYsw9htxhwoDhGSjsvlBWR6qB/7APMn+nTNPd3i5qgRb8SJJtkntCvz7O8mc+pbjZm0
         nBfXhNamInAeiFRqorKFOy+DZo4Hu6veRMGrIHx7PfxSgyyv1ZQx7amPGioihXOB2hQA
         tT3c+6iKd4th2mg+StEtjTji84rXpE+cSJlrtZ7laTfywsGfCb3OiMoyldTe5dr+y5ZT
         U2Rg==
X-Gm-Message-State: AKaTC03vMJi7V/wcbCvhOHAYqIaSImnq8veBCOhzJsjzbEIj4qk7NpMxbisIHfOxucobSA==
X-Received: by 10.25.125.132 with SMTP id y126mr23306678lfc.86.1481013762631;
        Tue, 06 Dec 2016 00:42:42 -0800 (PST)
Received: from v3-3.util.wtbts.net ([83.145.235.199])
        by smtp.gmail.com with ESMTPSA id s63sm3714301lja.19.2016.12.06.00.42.41
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Tue, 06 Dec 2016 00:42:41 -0800 (PST)
From: Sergey Lukin <sergej.lukin@gmail.com>
To: alpine-aports@lists.alpinelinux.org
Cc: Sergey Lukin <sergej.lukin@gmail.com>
Subject: [alpine-aports] [PATCH v3.3] main/bash: security upgrade - fixes #6411
Date: Tue,  6 Dec 2016 08:42:30 +0000
Message-Id: <1481013750-8122-1-git-send-email-sergej.lukin@gmail.com>
X-Mailer: git-send-email 2.6.6
X-Mailinglist: alpine-aports
Precedence: list
List-Id: Alpine Development <alpine-aports.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-aports+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-aports@lists.alpinelinux.org>
List-Help: <mailto:alpine-aports+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-aports+subscribe@lists.alpinelinux.org?subject=subscribe>

CVE-2016-7543
---
 main/bash/APKBUILD            | 14 +++++++++-----
 main/bash/CVE-2016-7543.patch | 19 +++++++++++++++++++
 2 files changed, 28 insertions(+), 5 deletions(-)
 create mode 100644 main/bash/CVE-2016-7543.patch

diff --git a/main/bash/APKBUILD b/main/bash/APKBUILD
index a325a3a..43af072 100644
--- a/main/bash/APKBUILD
+++ b/main/bash/APKBUILD
@@ -5,7 +5,7 @@ pkgver=4.3.42
 _patchlevel=${pkgver##*.}
 _myver=${pkgver%.*}
 _patchbase=${_myver/./}
-pkgrel=3
+pkgrel=4
 pkgdesc="The GNU Bourne Again shell"
 url="http://www.gnu.org/software/bash/bash.html"
 arch="all"
@@ -17,7 +17,8 @@ subpackages="$pkgname-doc"
 source="http://ftp.gnu.org/gnu/bash/bash-${_myver}.tar.gz
 	bash-noinfo.patch
 	privmode-setuid-fail.patch
-	"
+	CVE-2016-7543.patch
+"
 # generate url's to patches. note: no forks allowed!
 _i=1
 _pad="00"
@@ -72,6 +73,7 @@ package() {
 md5sums="81348932d5da294953e15d4814c74dd1  bash-4.3.tar.gz
 80fec5f3d60a63756a4999c877e31a8e  bash-noinfo.patch
 a577d42e38249d298d6a8d4bf2823883  privmode-setuid-fail.patch
+7813a0639fc2958f23469ccab204a8f0  CVE-2016-7543.patch
 1ab682b4e36afa4cf1b426aa7ac81c0d  bash43-001
 8fc22cf50ec85da00f6af3d66f7ddc1b  bash43-002
 a41728eca78858758e26b5dea64ae506  bash43-003
@@ -113,10 +115,11 @@ be2a7b05f6ae560313f3c9d5f7127bda  bash43-037
 a4775487abe958536751c8ce53cdf6f9  bash43-039
 80d3587c58854e226055ef099ffeb535  bash43-040
 20bf63eef7cb441c0b1cc49ef3191d03  bash43-041
-4150846ca72b8ab3aa83f276726e6b09  bash43-042"
+70790646ae61e207c995e44931390e50  bash43-042"
 sha256sums="afc687a28e0e24dc21b988fa159ff9dbcf6b7caa92ade8645cc6d5605cd024d4  bash-4.3.tar.gz
 363bc919d98cadbfca27660be0d1d4bb6cfe1c5f86a7830966e456df36e46792  bash-noinfo.patch
 6bc2d4e48ad05fb3c8aac120a012baf1911f6522464ed18c8232b111a40b7901  privmode-setuid-fail.patch
+690e6d0366bf2d717f59fac770a37bf26929950a6f380e1984677737e4d658da  CVE-2016-7543.patch
 ecb3dff2648667513e31554b3ad054ccd89fce38e33367c9459ac3a285153742  bash43-001
 eee7cd7062ab29a9e4f02924d9c367264dcb8b162703f74ff6eb8f175a91502b  bash43-002
 000e6eac50cd9053ce0630db01239dcdead04a2c2c351c47e2b51dac1ac1087d  bash43-003
@@ -158,10 +161,11 @@ adbeaa500ca7a82535f0e88d673661963f8a5fcdc7ad63445e68bf5b49786367  bash43-038
 ab94dced2215541097691f60c3eb323cc28ef2549463e6a5334bbcc1e61e74ec  bash43-039
 84bb396b9262992ca5424feab6ed3ec39f193ef5c76dfe4a62b551bd8dd9d76b  bash43-040
 4ec432966e4198524a7e0cd685fe222e96043769c9613e66742ac475db132c1a  bash43-041
-b75a53141ab3d8fff3fa74b5f3dc76468b01eae299f50bbc2bc71ae395d690af  bash43-042"
+ac219322db2791da87a496ee6e8e5544846494bdaaea2626270c2f73c1044919  bash43-042"
 sha512sums="a852b8e46ee55568dce9d23a30a9dbd1c770c2d2a4bc91e1c3177d723b31b32c5d69d19704a93f165891b409b9dd2cc65723372044e2bd0ee49ed59a11512651  bash-4.3.tar.gz
 74d51550cc03410f22ffea13f6452350d1e5564bff619fb07a5bbef14ca565fbe03770a2c0041292732cda16e8944b33ccbd0dfe29a606a068fedabe277cd6ae  bash-noinfo.patch
 c5804ace658f9d7f957d4b98bebab4d8eb0ba3dd2dd155a480c7f9b0f17b06ced344b4b4c9f52ef1d5c0cabb047bce5237c350f53b95cf6c95e156ab4ab9e8a9  privmode-setuid-fail.patch
+00fe0c0b30122f3de543a7b2a609e277db05d5e5fce58eabb052deb2788d579e90a14c362f5e889fc8e0168b82ad4555eb0d38ba3b300aac54432453a83daded  CVE-2016-7543.patch
 a1011392652180a28f9837af4a341a80beb929c1458e2384e282f0007713c5fe8d0b315abf1340b3707748d3caed322135dee87b59eeb7612ee5130f87d79888  bash43-001
 e3178c85f553522d5d1c5fd39e76f015b680a8ccc84836a5e10283b2aed6e5b7cc3d23af0e67a270b7622dce0abf35dd8a95afa9bb6f89b73a9439f7435175a4  bash43-002
 dc2c5fad8d357d1301e419afd959dfaf015a63172857080c11f77ab1bb7d1d737f411eb0e70a861f98a36bed1b19edb7217a4fa9f4773e21706b62dc56ec3464  bash43-003
@@ -203,4 +207,4 @@ ae41a9a5326ceb8e7105e359be097e14876160f6357bfa7c5cd3c4a495a629be762c3db671754c2c
 f9745a05bfbbe39f8e5af3865de3a32391d7ff291289977e23340c79a3783b4fad15bdcf8ce62478916b43fe18501c4d7c65cd54d3c20e8bb889919df48a9a19  bash43-039
 25a0696f1f0e78cb971afa404e0b7fe634b70d49d6a5a9d6ff5506c42063968e8ede83ad80bd0b79601363676fe3abfedc3b76984f6f9ad2e7798790682e21d0  bash43-040
 d75cdd6a1fb8aeb1a4e88f046cfea3ec493b994b96f60f27d5577b59408422bb7c51cc4525cadab821fd8c57f44fb07f811b087d077359242caff3b54cfc6819  bash43-041
-f1530203d4ec42fa65db7ed4ee07f82b3be78dc3fa6532a222447acaaa8ff36a48979b153767b9191e5f9c2709d9822d71f816b9fc9f40e549e18831df5f9c3e  bash43-042"
+01a6601029c0a55c9bf1a4ace3f387f9d094a9b9ee3511e2113c000123d85b1d5813c369e62d5a6dd329f515ef0d67d11394a6c0e4516956387556c13d13009a  bash43-042"
diff --git a/main/bash/CVE-2016-7543.patch b/main/bash/CVE-2016-7543.patch
new file mode 100644
index 0000000..69686a1
--- /dev/null
+++ b/main/bash/CVE-2016-7543.patch
@@ -0,0 +1,19 @@
+CVE-2016-7543
+http://lists.gnu.org/archive/html/bug-bash/2016-10/msg00009.html
+
+diff -ru variables.c.orig variables.c
+--- variables.c.orig
++++ variables.c
+@@ -495,7 +495,11 @@
+ #endif
+       set_if_not ("PS2", secondary_prompt);
+     }
+-  set_if_not ("PS4", "+ ");
++
++  if (current_user.euid == 0)
++    bind_variable ("PS4", "+ ", 0);
++  else
++    set_if_not ("PS4", "+ ");
+
+   /* Don't allow IFS to be imported from the environment. */
+   temp_var = bind_variable ("IFS", " \t\n", 0);
-- 
2.6.6



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---