[Clfs-dev] CLFS 3.0.0 Milestone Release

William Harrington kb0iic at berzerkula.org
Mon Oct 13 18:36:16 PDT 2014 


Begin forwarded message:

> From: zippo <zippo at oppiz.net>
> Subject: Re: [Clfs-dev] CLFS 3.0.0 Milestone Release
> Date: October 10, 2014 at 10:26:21 CDT
> To: William Harrington <kb0iic at berzerkula.org>
> 
> I know a second problem was found which took me up to 28 to patch.
> 
> $env x='() { :;}; echo not patched' sh -c "echo this is a test"
> 
> 
> I think this was the second test. But I know for sure it took patch level 28 to clean things up.
> 
> On 10/10/2014 7:47 AM, William Harrington wrote:
>> On Oct 9, 2014, at 23:29, zippo <zippo at oppiz.net> wrote:
>> 
>>> I took a look and bash has not been updated to current patch level (30) and would thus be vulnerable to the Shellshock bug. Here is the patch to take it to that level. I have compiled it and seems to work fine. They seem to be playing catchup and have had several patches come out over the past few days, I think it would be a good one to keep checking right up to the publish.
>>> 
>>> This patch is applied with $patch -p1 < ../bash-4.3-UPDATE_TO_30
>> Greetings Zippo,
>> 
>> I had tested the test cases from LFS for bash level 26 and level 8 and readline. Are there test cases beyond that which bash patch level 26 and readline level 8 didn’t fix?
>> 
>> We release with the latest bash, readline, and vim patch levels, but I’m curious as why patch level 26 didn’t fix it when I tested with the test cases from the LFS mailing lists provided from Bruce.
>> 
>> Sincerely,
>> 
>> William Harrington
> 

Thanks for the heads up zippo. 

With the test case above:

GNU bash, version 4.3.26(1)-release (x86_64-unknown-linux-gnu)

env x='() { :;}; echo not patched' sh -c "echo this is a test”

Output:

-bash: x=() { :;}; echo not patched: command not found

That is with level 26 patch and readline level 8 patch.

Patch level 30 is in the book and I’m expecting to release the book this weekend of the 17th to 19th in the United States.

If you can think of any other patches that my be worthy, would be helpful, maybe with the toolchain, but I think it is solid.

All users please take the time to go over tickets at http://trac.cross-lfs.org/report/1

I may do one commit where I take care of http://trac.cross-lfs.org/ticket/983 and scrap LDFLAGS.
It also doesn’t hurt to leave it, but it isn’t required for a proper build.

Sincerely,

William Harrington

More information about the Clfs-dev mailing list