From dfa339cca72416151794606aec7285639529b481 Mon Sep 17 00:00:00 2001
From: Ondrej Oprala <ooprala@redhat.com>
Date: Sep 25 2014 20:48:12 +0000
Subject: Patchlevel 25


---

diff --git a/bash-4.3-cve-2014-6271.patch b/bash-4.3-cve-2014-6271.patch
deleted file mode 100644
index 7859d40..0000000
--- a/bash-4.3-cve-2014-6271.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-*** ../bash-4.3-patched/builtins/common.h	2013-07-08 16:54:47.000000000 -0400
---- builtins/common.h	2014-09-12 14:25:47.000000000 -0400
-***************
-*** 34,37 ****
---- 49,54 ----
-  #define SEVAL_PARSEONLY	0x020
-  #define SEVAL_NOLONGJMP 0x040
-+ #define SEVAL_FUNCDEF	0x080		/* only allow function definitions */
-+ #define SEVAL_ONECMD	0x100		/* only allow a single command */
-  
-  /* Flags for describe_command, shared between type.def and command.def */
-*** ../bash-4.3-patched/builtins/evalstring.c	2014-02-11 09:42:10.000000000 -0500
---- builtins/evalstring.c	2014-09-14 14:15:13.000000000 -0400
-***************
-*** 309,312 ****
---- 313,324 ----
-  	      struct fd_bitmap *bitmap;
-  
-+ 	      if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
-+ 		{
-+ 		  internal_warning ("%s: ignoring function definition attempt", from_file);
-+ 		  should_jump_to_top_level = 0;
-+ 		  last_result = last_command_exit_value = EX_BADUSAGE;
-+ 		  break;
-+ 		}
-+ 
-  	      bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
-  	      begin_unwind_frame ("pe_dispose");
-***************
-*** 369,372 ****
---- 381,387 ----
-  	      dispose_fd_bitmap (bitmap);
-  	      discard_unwind_frame ("pe_dispose");
-+ 
-+ 	      if (flags & SEVAL_ONECMD)
-+ 		break;
-  	    }
-  	}
-*** ../bash-4.3-patched/variables.c	2014-05-15 08:26:50.000000000 -0400
---- variables.c	2014-09-14 14:23:35.000000000 -0400
-***************
-*** 359,369 ****
-  	  strcpy (temp_string + char_index + 1, string);
-  
-! 	  if (posixly_correct == 0 || legal_identifier (name))
-! 	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
-! 
-! 	  /* Ancient backwards compatibility.  Old versions of bash exported
-! 	     functions like name()=() {...} */
-! 	  if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
-! 	    name[char_index - 2] = '\0';
-  
-  	  if (temp_var = find_function (name))
---- 364,372 ----
-  	  strcpy (temp_string + char_index + 1, string);
-  
-! 	  /* Don't import function names that are invalid identifiers from the
-! 	     environment, though we still allow them to be defined as shell
-! 	     variables. */
-! 	  if (legal_identifier (name))
-! 	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
-  
-  	  if (temp_var = find_function (name))
-***************
-*** 382,389 ****
-  	      report_error (_("error importing function definition for `%s'"), name);
-  	    }
-- 
-- 	  /* ( */
-- 	  if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
-- 	    name[char_index - 2] = '(';		/* ) */
-  	}
-  #if defined (ARRAY_VARS)
---- 385,388 ----
-*** ../bash-4.3-patched/subst.c	2014-08-11 11:16:35.000000000 -0400
---- subst.c	2014-09-12 15:31:04.000000000 -0400
-***************
-*** 8048,8052 ****
-  	  goto return0;
-  	}
-!       else if (var = find_variable_last_nameref (temp1))
-  	{
-  	  temp = nameref_cell (var);
---- 8118,8124 ----
-  	  goto return0;
-  	}
-!       else if (var && (invisible_p (var) || var_isset (var) == 0))
-! 	temp = (char *)NULL;
-!       else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
-  	{
-  	  temp = nameref_cell (var);
diff --git a/bash.spec b/bash.spec
index 4097e20..994062b 100644
--- a/bash.spec
+++ b/bash.spec
@@ -1,5 +1,5 @@
 #% define beta_tag rc2
-%define patchleveltag .24
+%define patchleveltag .25
 %define baseversion 4.3
 %bcond_without tests
 %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
@@ -7,7 +7,7 @@
 Version: %{baseversion}%{patchleveltag}
 Name: bash
 Summary: The GNU Bourne Again shell
-Release: 2%{?dist}
+Release: 1%{?dist}
 Group: System Environment/Shells
 License: GPLv3+
 Url: http://www.gnu.org/software/bash
@@ -45,6 +45,7 @@ Patch021: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-021
 Patch022: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-022
 Patch023: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-023
 Patch024: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-024
+Patch025: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025
 
 # Other patches
 Patch101: bash-2.02-security.patch
@@ -102,8 +103,6 @@ Patch134: bash-4.3-pathexp-globignore-delim.patch
 # 1102815 - fix double echoes in vi visual mode
 Patch135: bash-4.3-noecho.patch
 
-Patch136: bash-4.3-cve-2014-6271.patch
-
 BuildRequires: texinfo bison
 BuildRequires: ncurses-devel
 BuildRequires: autoconf, gettext
@@ -154,6 +153,7 @@ This package contains documentation files for %{name}.
 %patch022 -p0 -b .022
 %patch023 -p0 -b .023
 %patch024 -p0 -b .024
+%patch025 -p0 -b .025
 
 # Other patches
 %patch101 -p1 -b .security
@@ -184,7 +184,6 @@ This package contains documentation files for %{name}.
 %patch131 -p0 -b .keyword
 %patch134 -p0 -b .delim
 %patch135 -p1 -b .noecho
-%patch136 -p0 -b .6271
 
 echo %{version} > _distribution
 echo %{release} > _patchlevel
@@ -380,6 +379,9 @@ end
 %doc doc/*.ps doc/*.0 doc/*.html doc/article.txt
 
 %changelog
+* Wed Sep 25 2014 Ondrej Oprala <ooprala@redhat.com> - 4.3.25-1
+- Patchlevel 25
+
 * Wed Sep 24 2014 Ondrej Oprala <ooprala@redhat.com> - 4.3.24-2
 - Inhibit code injection - patch by Stephane Chazelas
 
diff --git a/bash43-025 b/bash43-025
new file mode 100644
index 0000000..721aca0
--- /dev/null
+++ b/bash43-025
@@ -0,0 +1,123 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-025
+
+Bug-Reported-by:	Stephane Chazelas <stephane.chazelas@gmail.com>
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+Under certain circumstances, bash will execute user code while processing the
+environment for exported function definitions.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-4.3-patched/builtins/common.h	2013-07-08 16:54:47.000000000 -0400
+--- builtins/common.h	2014-09-12 14:25:47.000000000 -0400
+***************
+*** 34,37 ****
+--- 49,54 ----
+  #define SEVAL_PARSEONLY	0x020
+  #define SEVAL_NOLONGJMP 0x040
++ #define SEVAL_FUNCDEF	0x080		/* only allow function definitions */
++ #define SEVAL_ONECMD	0x100		/* only allow a single command */
+  
+  /* Flags for describe_command, shared between type.def and command.def */
+*** ../bash-4.3-patched/builtins/evalstring.c	2014-02-11 09:42:10.000000000 -0500
+--- builtins/evalstring.c	2014-09-14 14:15:13.000000000 -0400
+***************
+*** 309,312 ****
+--- 313,324 ----
+  	      struct fd_bitmap *bitmap;
+  
++ 	      if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
++ 		{
++ 		  internal_warning ("%s: ignoring function definition attempt", from_file);
++ 		  should_jump_to_top_level = 0;
++ 		  last_result = last_command_exit_value = EX_BADUSAGE;
++ 		  break;
++ 		}
++ 
+  	      bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+  	      begin_unwind_frame ("pe_dispose");
+***************
+*** 369,372 ****
+--- 381,387 ----
+  	      dispose_fd_bitmap (bitmap);
+  	      discard_unwind_frame ("pe_dispose");
++ 
++ 	      if (flags & SEVAL_ONECMD)
++ 		break;
+  	    }
+  	}
+*** ../bash-4.3-patched/variables.c	2014-05-15 08:26:50.000000000 -0400
+--- variables.c	2014-09-14 14:23:35.000000000 -0400
+***************
+*** 359,369 ****
+  	  strcpy (temp_string + char_index + 1, string);
+  
+! 	  if (posixly_correct == 0 || legal_identifier (name))
+! 	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+! 
+! 	  /* Ancient backwards compatibility.  Old versions of bash exported
+! 	     functions like name()=() {...} */
+! 	  if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+! 	    name[char_index - 2] = '\0';
+  
+  	  if (temp_var = find_function (name))
+--- 364,372 ----
+  	  strcpy (temp_string + char_index + 1, string);
+  
+! 	  /* Don't import function names that are invalid identifiers from the
+! 	     environment, though we still allow them to be defined as shell
+! 	     variables. */
+! 	  if (legal_identifier (name))
+! 	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+  
+  	  if (temp_var = find_function (name))
+***************
+*** 382,389 ****
+  	      report_error (_("error importing function definition for `%s'"), name);
+  	    }
+- 
+- 	  /* ( */
+- 	  if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+- 	    name[char_index - 2] = '(';		/* ) */
+  	}
+  #if defined (ARRAY_VARS)
+--- 385,388 ----
+*** ../bash-4.3-patched/subst.c	2014-08-11 11:16:35.000000000 -0400
+--- subst.c	2014-09-12 15:31:04.000000000 -0400
+***************
+*** 8048,8052 ****
+  	  goto return0;
+  	}
+!       else if (var = find_variable_last_nameref (temp1))
+  	{
+  	  temp = nameref_cell (var);
+--- 8118,8124 ----
+  	  goto return0;
+  	}
+!       else if (var && (invisible_p (var) || var_isset (var) == 0))
+! 	temp = (char *)NULL;
+!       else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
+  	{
+  	  temp = nameref_cell (var);
+*** ../bash-4.3/patchlevel.h	2012-12-29 10:47:57.000000000 -0500
+--- patchlevel.h	2014-03-20 20:01:28.000000000 -0400
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 24
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 25
+  
+  #endif /* _PATCHLEVEL_H_ */