Begin forwarded message:
> From: zippo <[email protected]> > Subject: Re: [Clfs-dev] CLFS 3.0.0 Milestone Release > Date: October 10, 2014 at 10:26:21 CDT > To: William Harrington <[email protected]> > > I know a second problem was found which took me up to 28 to patch. > > $env x='() { :;}; echo not patched' sh -c "echo this is a test" > > > I think this was the second test. But I know for sure it took patch level 28 > to clean things up. > > On 10/10/2014 7:47 AM, William Harrington wrote: >> On Oct 9, 2014, at 23:29, zippo <[email protected]> wrote: >> >>> I took a look and bash has not been updated to current patch level (30) and >>> would thus be vulnerable to the Shellshock bug. Here is the patch to take >>> it to that level. I have compiled it and seems to work fine. They seem to >>> be playing catchup and have had several patches come out over the past few >>> days, I think it would be a good one to keep checking right up to the >>> publish. >>> >>> This patch is applied with $patch -p1 < ../bash-4.3-UPDATE_TO_30 >> Greetings Zippo, >> >> I had tested the test cases from LFS for bash level 26 and level 8 and >> readline. Are there test cases beyond that which bash patch level 26 and >> readline level 8 didn’t fix? >> >> We release with the latest bash, readline, and vim patch levels, but I’m >> curious as why patch level 26 didn’t fix it when I tested with the test >> cases from the LFS mailing lists provided from Bruce. >> >> Sincerely, >> >> William Harrington > Thanks for the heads up zippo. With the test case above: GNU bash, version 4.3.26(1)-release (x86_64-unknown-linux-gnu) env x='() { :;}; echo not patched' sh -c "echo this is a test” Output: -bash: x=() { :;}; echo not patched: command not found That is with level 26 patch and readline level 8 patch. Patch level 30 is in the book and I’m expecting to release the book this weekend of the 17th to 19th in the United States. If you can think of any other patches that my be worthy, would be helpful, maybe with the toolchain, but I think it is solid. All users please take the time to go over tickets at http://trac.cross-lfs.org/report/1 I may do one commit where I take care of http://trac.cross-lfs.org/ticket/983 and scrap LDFLAGS. It also doesn’t hurt to leave it, but it isn’t required for a proper build. Sincerely, William Harrington _______________________________________________ Clfs-dev mailing list [email protected] http://lists.cross-lfs.org/listinfo.cgi/clfs-dev-cross-lfs.org
