Browse Source

gnu: bash: Update to 4.3.27 and fix out-of-bounds memory accesses.

Based on a patch by Ludovic Courtès <>.

* gnu/packages/bash.scm (%patch-series-4.3): Add two patches.
  (bash)[source]: Add parser-oob patch.  Add 'snippet'.
  [native-inputs]: New field.
* gnu/packages/commencement.scm (bison-boot1): New variable.
  (static-bash-for-glibc): Add 'native-inputs'.

Co-Authored-By: Ludovic Courtès <>
Mark H Weaver 7 years ago
2 changed files with 43 additions and 3 deletions
  1. +23
  2. +20

+ 23
- 3
gnu/packages/bash.scm View File

@ -20,6 +20,7 @@
#:use-module (guix licenses)
#:use-module (gnu packages ncurses)
#:use-module (gnu packages readline)
#:use-module (gnu packages bison)
#:use-module (guix packages)
#:use-module (guix download)
#:use-module (guix utils)
@ -74,7 +75,9 @@
(22 "120s0s4qcqd0q12j1iv0hkpf9fp3w5jnqw646kv66n66jnxlfkgx")
(23 "1m00sfi88p2akgiyrg4hw0gvz3s1586pkzjdr3dm73vs773m1hls")
(24 "0v0gjqzjsqjfgj5x17fq7g649k94jn8zq92qsxkhc2d6l215hl1v")
(25 "0lcj96i659q35f1jcmwwbnw3p7w7vvlxjxqi989vn6d6qksqcl8y"))) ;CVE-2014-6271
(25 "0lcj96i659q35f1jcmwwbnw3p7w7vvlxjxqi989vn6d6qksqcl8y") ;CVE-2014-6271
(26 "0k919ir0inwn4wai2vdzpbwqq5h54fnrlkmgccxjg91v3ch15k1f") ;CVE-2014-7169
(27 "1gnsfvq6bhb3srlbh0cannj2hackdsipcg7z0ds7zlk1hp96mdqy")))
(define (download-patches store count)
"Download COUNT Bash patches into store. Return a list of
@ -129,12 +132,29 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
(patch-flags '("-p0"))
(patches %patch-series-4.3)))
;; Fix out-of-bound memory accesses.
;; See <>.
(method url-fetch)
(uri "")
;; The patches above modify 'parse.y', so force a rebuild of the
;; parser.
(snippet '(for-each delete-file
'("" "" "parser-built")))))
(version (string-append version "."
(number->string (length %patch-series-4.3))))
(build-system gnu-build-system)
(native-inputs `(("bison" ,bison))) ;to rebuild the parser
(inputs `(("readline" ,readline)
("ncurses" ,ncurses))) ; TODO: add texinfo
("ncurses" ,ncurses))) ;TODO: add texinfo
`(;; When cross-compiling, `configure' incorrectly guesses that job
;; control is missing.

+ 20
- 0
gnu/packages/commencement.scm View File

@ -27,8 +27,10 @@
#:use-module (gnu packages bash)
#:use-module (gnu packages gcc)
#:use-module (gnu packages ed)
#:use-module (gnu packages m4)
#:use-module (gnu packages file)
#:use-module (gnu packages gawk)
#:use-module (gnu packages bison)
#:use-module (gnu packages guile)
#:use-module (gnu packages multiprecision)
#:use-module (gnu packages compression)
@ -396,6 +398,23 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
("bash" ,bash)))
(inputs '())))
(define bison-boot1
;; XXX: This Bison is needed to rebuild Bash's parser, which is modified by
;; its CVE patches. Remove it when it's no longer needed.
(let* ((m4 (package-with-bootstrap-guile
(package-with-explicit-inputs m4 %boot0-inputs
#:guile %bootstrap-guile)))
(bison (package (inherit bison)
(native-inputs `(("perl" ,perl-boot0)))
(propagated-inputs `(("m4" ,m4)))
(inputs '()) ;remove Flex...
(arguments '(#:tests? #f))))) ;... and thus disable tests
(package-with-explicit-inputs bison %boot0-inputs
#:guile %bootstrap-guile))))
(define static-bash-for-glibc
;; A statically-linked Bash to be embedded in GLIBC-FINAL, for use by
;; system(3) & co.
@ -403,6 +422,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
(car (assoc-ref %boot1-inputs "bash"))))
(bash (package (inherit bash-light)
(native-inputs `(("bison" ,bison-boot1)))
`(#:guile ,%bootstrap-guile
,@(package-arguments bash-light))))))