[ANNOUNCEMENT] Updated: bash-4.3.46-6

[ANNOUNCEMENT] Updated: bash-4.3.46-6

[Eric Blake (cygwin)]

[-- Attachment #1: Type: text/plain, Size: 7093 bytes --]

A new release of bash, 4.3.46-6, has been uploaded and will soon reach a
mirror near you.  It replaces 4.3.43-5, and leaves 4.3.42-4 as the
previous version.

NEWS:
=====
This is a minor build that incorporates a couple more upstream bug fixes
that I missed in the previous build.  Since 4.3.43-5 was short-lived,
I'll repeat the change made there: this build disables some old cruft in
upstream code that tries to use O_TEXT in the 'read' builtin, but
instead ends up eating the character after a carriage return that is not
followed by a newline, even when full binary operation is desired [1].
With this build, the read builtin now honors the Cygwin-specific 'igncr'
shell option, just like has previously been done in command substitution
and script reading, meaning that you get binary behavior by default, but
enabling 'set -o igncr' makes it impossible for 'read' to see a carriage
return.

[1] https://lists.gnu.org/archive/html/bug-bash/2016-03/msg00045.html

This build of bash is immune to the ShellShock vulnerabilities (although
unpatched bash 4.3 is vulnerable, the official upstream patches solve
the issue).  By now, you should no longer be running a vulnerable bash,
but to double check you can run the following test to make sure you are
not subject to arbitrary remote code execution due to ShellShock:
$ env 'bad=() { echo vulnerable; }' bash -c bad

If it prints "bash: bad: command not found", your version of bash is
safe and not subject to remote exploits.  If it prints "vulnerable", you
need to upgrade now.

There are a few things you should be aware of before using this version:
1. When using binary mounts, cygwin programs try to emulate Linux.  Bash
on Linux does not understand \r\n line endings, but interprets the \r
literally, which leads to syntax errors or odd variable assignments.
Therefore, you will get the same behavior on Cygwin binary mounts by
default.
2. d2u is your friend.  You can use it to convert any problematic script
into binary line endings.
3. Cygwin text mounts automatically work with either line ending style,
because the \r is stripped before bash reads the file.  If you
absolutely must use files with \r\n line endings, consider mounting the
directory where those files live as a text mount.  However, text mounts
are not as well tested or supported on the cygwin mailing list, so you
may encounter other problems with other cygwin tools in those directories.
4. This version of bash has a cygwin-specific set option, named "igncr",
to force bash to ignore \r, independently of cygwin's mount style.  As
of bash-3.2.3-5, it controls regular scripts, command substitution, and
sourced files; bash-4.3.43-5 adds the read builtin to the list.  I hope
to convince the upstream bash maintainer to accept this patch into a
future bash release even on Linux, rather than keeping it a
cygwin-specific patch, but only time will tell.  There are several ways
to activate this option:
4a. For a single affected script, add this line just after the she-bang:
 (set -o igncr) 2>/dev/null && set -o igncr; # comment is needed
4b. For a single script, invoke bash explicitly with the option, as in
'bash -o igncr ./myscript' rather than the simpler './myscript'.
4c. To affect all scripts, export the environment variable BASH_ENV,
pointing to a file that sets the shell option as desired.  Bash will
source this file on startup for every script.
4d. Added in the bash-3.2-2 release: export the environment variable
SHELLOPTS with igncr included in it.  It is read-only from within bash,
but you can set it before invoking bash; once in bash, it auto-tracks
the current state of 'set -o igncr'.  If exported, then all bash child
processes inherit the same option settings; with the exception added in
3.2.9-11 that certain interactive options are not inherited in
non-interactive use.
4e. bash-4.1.9-1 dropped support for 'shopt -s igncr'; it did not make
sense to support the option through both set and shopt, and SHELLOPTS
proved to be more powerful.
5. You can also experiment with the IFS variable for controlling how
bash will treat \r during variable expansion.
6. There are varying levels of speed at which bash operates.  The
fastest is on a binary mount with igncr disabled (the default behavior).
 Next would be text mounts with igncr disabled and no \r in the
underlying file. Next would be binary mounts with igncr enabled.  And
the slowest that bash will operate is on text mounts with igncr enabled.
7. As additional cygwin extensions, this version of bash includes:
7a. EXECIGNORE - a colon-separated list of glob patterns to ignore
when completing on executables.  EXECIGNORE=*.dll is common.
7b. completion_strip_exe - using 'shopt -s completion_strip_exe'
makes completion strip .exe suffixes
8. This version of bash is immune to ShellShock (CVE-2014-6271 and
friends) because it exports functions via 'BASH_FUNC_foo%%=' rather than
'foo=' environment variables.  However, doing this has exposed
weaknesses in some other utilities like 'ksh' or 'at' that fail to scrub
their environment to exclude what is not a valid name for them.
9. If you don't like how bash behaves, then propose a patch, rather than
proposing idle ideas.  This turn of events has already been talked to
death on the mailing lists by people with many ideas, but few patches.
Thanks to Dan Colascione for providing the EXECIGNORE and
completion_strip_exe patches.

Remember, you must not have any bash or /bin/sh instances running when
you upgrade the bash package.  This release requires cygwin-2.5.2-1 or
later.  See also the upstream documentation in /usr/share/doc/bash/.

DESCRIPTION:
============
Bash is an sh-compatible shell that incorporates useful features from
the Korn shell (ksh) and C shell (csh).  It is intended to conform to
the IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard.  It offers
functional improvements over sh for both programming and interactive
use. In addition, most sh scripts can be run by Bash without modification.

As of the bash 3.0 series, cygwin /bin/sh defaults to bash, not ash,
similar to some Linux distributions (although /bin/sh may swap to dash
at some future time).

UPDATE:
=======
To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system. Save it and run setup, answer the questions and pick up 'bash'
in the 'Base' category (it should already be selected).

DOWNLOAD:
=========
Note that downloads from cygwin.com aren't allowed due to bandwidth
limitations.  This means that you will need to find a mirror which has
this update, please choose the one nearest to you:
http://cygwin.com/mirrors.html

QUESTIONS:
==========
If you want to make a point or ask a question the Cygwin mailing list is
the appropriate place.

-- 
Eric Blake
volunteer cygwin bash package maintainer

For more details on this list (including unsubscription), see:
http://sourceware.org/lists.html



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]

Re: [ANNOUNCEMENT] Updated: bash-4.3.46-6

[David Rothenberger]

On 8/6/2016 6:13 AM, Eric Blake (cygwin) wrote:
> 7b. completion_strip_exe - using 'shopt -s completion_strip_exe'
> makes completion strip .exe suffixes

I get an error that completion_strip_exe is not a supported option with 
this release. It was working fine in 4.3.42-4.

-- 
David Rothenberger  ----  daveroth@acm.org

Backed up the system lately?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] Updated: bash-4.3.46-6

[Nem W Schlecht]

I can confirm - I get this same error.  I'm guessing the patch for
this (which is cygwin specific) was accidentally skipped for this
build.

On Sat, Aug 6, 2016 at 4:25 PM, David Rothenberger <daveroth@acm.org> wrote:
> On 8/6/2016 6:13 AM, Eric Blake (cygwin) wrote:
>>
>> 7b. completion_strip_exe - using 'shopt -s completion_strip_exe'
>> makes completion strip .exe suffixes
>
>
> I get an error that completion_strip_exe is not a supported option with this
> release. It was working fine in 4.3.42-4.
>
> --
> David Rothenberger  ----  daveroth@acm.org
>
> Backed up the system lately?
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>



-- 
Nem W Schlecht
"Perl did the magic. I just waved the wand."

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] Updated: bash-4.3.46-6

[Nem W Schlecht]

Having heard no news on this, I'm unsure if this functionality is just
going to be this way now or if the author went on an extended vacation
or what.  It *is* still listed in the release notes:


    7b. completion_strip_exe - using 'shopt -s completion_strip_exe'
makes completion strip .exe suffixes


Odd that nobody else has commented/complained about (I find it pretty
annoying to have the '.exe' expanded out).



On Tue, Aug 9, 2016 at 11:14 PM, Nem W Schlecht <nem@emptec.com> wrote:
> I can confirm - I get this same error.  I'm guessing the patch for
> this (which is cygwin specific) was accidentally skipped for this
> build.
>
> On Sat, Aug 6, 2016 at 4:25 PM, David Rothenberger <daveroth@acm.org> wrote:
>> On 8/6/2016 6:13 AM, Eric Blake (cygwin) wrote:
>>>
>>> 7b. completion_strip_exe - using 'shopt -s completion_strip_exe'
>>> makes completion strip .exe suffixes
>>
>>
>> I get an error that completion_strip_exe is not a supported option with this
>> release. It was working fine in 4.3.42-4.
>>
>> --
>> David Rothenberger  ----  daveroth@acm.org
>>
>> Backed up the system lately?
>>
>> --
>> Problem reports:       http://cygwin.com/problems.html
>> FAQ:                   http://cygwin.com/faq/
>> Documentation:         http://cygwin.com/docs.html
>> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>
>
>
>
> --
> Nem W Schlecht
> "Perl did the magic. I just waved the wand."



-- 
Nem W Schlecht
"Perl did the magic. I just waved the wand."

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] Updated: bash-4.3.46-6

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 893 bytes --]

On 08/24/2016 10:02 AM, Nem W Schlecht wrote:
> Having heard no news on this, I'm unsure if this functionality is just
> going to be this way now or if the author went on an extended vacation
> or what.  It *is* still listed in the release notes:

Extended vacation (or rather, I just moved across state lines, and was
offline for two weeks as a result).  I'm now back, though, so I'm
investigating...

>     7b. completion_strip_exe - using 'shopt -s completion_strip_exe'
> makes completion strip .exe suffixes
> 
>>>
>>> I get an error that completion_strip_exe is not a supported option with this
>>> release. It was working fine in 4.3.42-4.

...most likely I misapplied a patch between bash builds; if so, I'll
have 4.3.46-7 up soon that fixes the problems.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]

Re: [ANNOUNCEMENT] Updated: bash-4.3.46-6

[Nem W Schlecht]

Sounds good!  Thanks for the update (and your hard work on the Cygwin
bash release)!

On Wed, Aug 24, 2016 at 10:24 AM, Eric Blake <eblake@redhat.com> wrote:
> On 08/24/2016 10:02 AM, Nem W Schlecht wrote:
>> Having heard no news on this, I'm unsure if this functionality is just
>> going to be this way now or if the author went on an extended vacation
>> or what.  It *is* still listed in the release notes:
>
> Extended vacation (or rather, I just moved across state lines, and was
> offline for two weeks as a result).  I'm now back, though, so I'm
> investigating...
>
>>     7b. completion_strip_exe - using 'shopt -s completion_strip_exe'
>> makes completion strip .exe suffixes
>>
>>>>
>>>> I get an error that completion_strip_exe is not a supported option with this
>>>> release. It was working fine in 4.3.42-4.
>
> ...most likely I misapplied a patch between bash builds; if so, I'll
> have 4.3.46-7 up soon that fixes the problems.
>
> --
> Eric Blake   eblake redhat com    +1-919-301-3266
> Libvirt virtualization library http://libvirt.org
>



-- 
Nem W Schlecht
"Perl did the magic. I just waved the wand."

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] Updated: bash-4.3.46-6

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 822 bytes --]

On 08/06/2016 04:25 PM, David Rothenberger wrote:
> On 8/6/2016 6:13 AM, Eric Blake (cygwin) wrote:
>> 7b. completion_strip_exe - using 'shopt -s completion_strip_exe'
>> makes completion strip .exe suffixes
> 
> I get an error that completion_strip_exe is not a supported option with
> this release. It was working fine in 4.3.42-4.

Well, for a limited set of cases.  :)

$ /bin/ln<TAB>

changes output from 'ln.exe   lndir.exe' to 'ln   lndir', but

$ ls /bin/ln<TAB>

still shows .exe.  Patches would be welcome for anyone that can figure
out how to make bash-completion also strip .exe from file name
completions when the name being completed is not the first word on the
command line.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]

Re: [ANNOUNCEMENT] Updated: bash-4.3.46-6

[Andrey Repin]

Greetings, Eric Blake!

> On 08/06/2016 04:25 PM, David Rothenberger wrote:
>> On 8/6/2016 6:13 AM, Eric Blake (cygwin) wrote:
>>> 7b. completion_strip_exe - using 'shopt -s completion_strip_exe'
>>> makes completion strip .exe suffixes
>> 
>> I get an error that completion_strip_exe is not a supported option with
>> this release. It was working fine in 4.3.42-4.

> Well, for a limited set of cases.  :)

> $ /bin/ln<TAB>

> changes output from 'ln.exe   lndir.exe' to 'ln   lndir', but

> $ ls /bin/ln<TAB>

> still shows .exe.  Patches would be welcome for anyone that can figure
> out how to make bash-completion also strip .exe from file name
> completions when the name being completed is not the first word on the
> command line.

It should? I don't think so.
What if I need to specify a file name to edit?


-- 
With best regards,
Andrey Repin
Thursday, August 25, 2016 00:23:45

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple