From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 26766 invoked by alias); 8 Oct 2014 21:15:48 -0000 Mailing-List: contact cygwin-announce-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-announce-owner@cygwin.com Reply-To: The Cygwin Mailing List Mail-Followup-To: cygwin-announce@cygwin.com Received: (qmail 20525 invoked by uid 89); 8 Oct 2014 21:02:15 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.7 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 X-HELO: resqmta-po-09v.sys.comcast.net Message-ID: <5435A652.9080505@byu.net> Date: Wed, 08 Oct 2014 21:15:00 -0000 From: "Eric Blake (cygwin)" Reply-To: The Cygwin Mailing List User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: cygwin-announce@cygwin.com Subject: Updated: bash-4.1.17-9 OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="M2aLRJ6UHJkWDBiu1CJO9wCWA34vSJuuL" X-SW-Source: 2014-10/txt/msg00015.txt.bz2 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --M2aLRJ6UHJkWDBiu1CJO9wCWA34vSJuuL Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-length: 7633 A new release of bash, 4.1.17-9, has been uploaded and will soon reach a mirror near you; leaving the previous version at 4.1.16-8. NEWS: =3D=3D=3D=3D=3D This is a minor rebuild which picks up an upstream patch to fix another parser bug (CVE-2014-6278). This bug was found as a result of studying the extent of ShellShock attacks, but all cygwin builds since 4.1.13-6 have already protected bash to avoid the interpretation of arbitrary environment variables causing a bad parse turning into an exploit. There may still be further parser fixes down the pipeline, but I'm pushing this build now rather than waiting for more upstream patches, since some of the sites related to detecting ShellShock have offered poor advice that incorrectly claims that local vulnerability to a parser bug is evidence of a remaining weakness to remote exploits. To avoid confusion, the following test unambiguously tests if you are vulnerable to ShellShock: $ env 'bad=3D() { echo vulnerable; }' bash -c bad If it prints "bash: bad: command not found", your version of bash is safe and not subject to remote exploits. If it prints "vulnerable", you need to upgrade now. https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environme= nt-variables-code-injection-attack/ https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about= -the-shellshock-bash-flaws/ https://access.redhat.com/articles/1200223 https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00238.html I also hope to have a build of bash 4.3 available soon, but wanted to get the CVE fixed as soon as possible due to its severity. There are a few things you should be aware of before using this version: 1. When using binary mounts, cygwin programs try to emulate Linux. Bash on Linux does not understand \r\n line endings, but interprets the \r literally, which leads to syntax errors or odd variable assignments. Therefore, you will get the same behavior on Cygwin binary mounts by default. 2. d2u is your friend. You can use it to convert any problematic script into binary line endings. 3. Cygwin text mounts automatically work with either line ending style, because the \r is stripped before bash reads the file. If you absolutely must use files with \r\n line endings, consider mounting the directory where those files live as a text mount. However, text mounts are not as well tested or supported on the cygwin mailing list, so you may encounter other problems with other cygwin tools in those directories. 4. This version of bash has a cygwin-specific set option, named "igncr", to force bash to ignore \r, independently of cygwin's mount style. As of bash-3.2.3-5, it controls regular scripts, command substitution, and sourced files. I hope to convince the upstream bash maintainer to accept this patch into a future bash release even on Linux, rather than keeping it a cygwin-specific patch, but only time will tell. There are several ways to activate this option: 4a. For a single affected script, add this line just after the she-bang: (set -o igncr) 2>/dev/null && set -o igncr; # comment is needed 4b. For a single script, invoke bash explicitly with the option, as in 'bash -o igncr ./myscript' rather than the simpler './myscript'. 4c. To affect all scripts, export the environment variable BASH_ENV, pointing to a file that sets the shell option as desired. Bash will source this file on startup for every script. 4d. Added in the bash-3.2-2 release: export the environment variable SHELLOPTS with igncr included in it. It is read-only from within bash, but you can set it before invoking bash; once in bash, it auto-tracks the current state of 'set -o igncr'. If exported, then all bash child processes inherit the same option settings; with the exception added in 3.2.9-11 that certain interactive options are not inherited in non-interactive use. 4e. bash-4.1.9-1 dropped support for 'shopt -s igncr'; it did not make sense to support the option through both set and shopt, and SHELLOPTS proved to be more powerful. 5. You can also experiment with the IFS variable for controlling how bash will treat \r during variable expansion. 6. There are varying levels of speed at which bash operates. The fastest is on a binary mount with igncr disabled (the default behavior). Next would be text mounts with igncr disabled and no \r in the underlying file. Next would be binary mounts with igncr enabled. And the slowest that bash will operate is on text mounts with igncr enabled. 7. As additional cygwin extensions, this version of bash includes: 7a. EXECIGNORE - a colon-separated list of glob patterns to ignore when completing on executables. EXECIGNORE=3D*.dll is common. 7b. completion_strip_exe - using 'shopt -s completion_strip_exe' makes completion strip .exe suffixes 8. This version of bash is immune to ShellShock (CVE-2014-6271 and friends) because it exports functions via 'BASH_FUNC_foo%%=3D' rather than 'foo=3D' environment variables. However, doing this has exposed weaknesses in some other utilities like 'ksh' or 'at' that fail to scrub their environment to exclude what is not a valid name for them. 9. If you don't like how bash behaves, then propose a patch, rather than proposing idle ideas. This turn of events has already been talked to death on the mailing lists by people with many ideas, but few patches. Thanks to Dan Colascione for providing the EXECIGNORE and completion_strip_exe patches. Remember, you must not have any bash or /bin/sh instances running when you upgrade the bash package. This release requires cygwin-1.7.32-1 or later; and it requires libreadline7-6.1.2-2 or later. See also the upstream documentation in /usr/share/doc/bash/. DESCRIPTION: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Bash is an sh-compatible shell that incorporates useful features from the Korn shell (ksh) and C shell (csh). It is intended to conform to the IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard. It offers functional improvements over sh for both programming and interactive use. In addition, most sh scripts can be run by Bash without modification. As of the bash 3.0 series, cygwin /bin/sh defaults to bash, not ash, similar to some Linux distributions (although /bin/sh may swap to dash at some future time). UPDATE: =3D=3D=3D=3D=3D=3D=3D To update your installation, click on the "Install Cygwin now" link on the http://cygwin.com/ web page. This downloads setup.exe to your system. Save it and run setup, answer the questions and pick up 'bash' in the 'Base' category (it should already be selected). DOWNLOAD: =3D=3D=3D=3D=3D=3D=3D=3D=3D Note that downloads from cygwin.com aren't allowed due to bandwidth limitations. This means that you will need to find a mirror which has this update, please choose the one nearest to you: http://cygwin.com/mirrors.html QUESTIONS: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D If you want to make a point or ask a question the Cygwin mailing list is the appropriate place. --=20 Eric Blake volunteer cygwin bash package maintainer CYGWIN-ANNOUNCE UNSUBSCRIBE INFO: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D To unsubscribe to the cygwin-announce mailing list, look at the "List-Unsubscribe: " tag in the email header of this message. Send email to the address specified there. It will be in the format: cygwin-announce-unsubscribe-YOU=3DYOURDOMAIN.COM@cygwin.com If you need more information on unsubscribing, start reading here: http://sourceware.org/lists.html#unsubscribe-simple Please read *all* of the information on unsubscribing that is available starting at this URL. --M2aLRJ6UHJkWDBiu1CJO9wCWA34vSJuuL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" Content-length: 539 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg iQEcBAEBCAAGBQJUNaZSAAoJEKeha0olJ0NqrIIH/1IO3MJR4UkhfvcfUWa5FQh9 o9ucOWKztUcM7ja3TNC+d4YQGzscV/FCnIslz/WqlWQz5Wp6s3bsDRoE8+w+QWra gXZQNopFgHVx85Jw8Zp88LXIINeeauLuYNNbNGp+90f49qw2wqbYKMIcW9yeToDp cRSxo5X8JaowknZs5amqucVZV254GNAlqzigUFMyf4A3/Z/fZZ18xyHDxanFUttZ tTfAM9A02lyS5/HkDR3+ge25tRpiI8ekxOxCtPN9CuG11XiKJzlWQ4sDlFZ3Y+uj QZJ0O7lH/uxgfQYtT8/iGbeV5mYMYC7r1NjxCogkOP366NshUO50tfso5Sz14v8= =7eJw -----END PGP SIGNATURE----- --M2aLRJ6UHJkWDBiu1CJO9wCWA34vSJuuL--