Bash-5.3 patch 11

Wed, 10 Jun 2026 06:25:30 -0700 

                             BASH PATCH REPORT
                             =================

Bash-Release:   5.3
Patch-ID:       bash53-011

Bug-Reported-by:        Philippe Grégoire <[email protected]>
Bug-Reference-ID:
Bug-Reference-URL:

Bug-Description:

If a `mapfile' callback unsets the array variable `mapfile' is using to save
the lines it reads, `mapfile' can try to reference freed memory, which can
cause corruption or shell crashes.

Patch (apply with `patch -p0'):

*** ../bash-5.3-patched/builtins/mapfile.def    Mon May  6 11:58:48 2024
--- builtins/mapfile.def        Mon May 25 16:23:50 2026
***************
*** 154,160 ****
    unbuffered_read = 0;
  
!   /* The following check should be done before reading any lines.  Doing it
!      here allows us to call bind_array_element instead of bind_array_variable
!      and skip the variable lookup on every call. */
    entry = builtin_find_indexed_array (array_name, flags & MAPF_CLEARARRAY);
    if (entry == 0)
--- 154,158 ----
    unbuffered_read = 0;
  
!   /* The following check should be done before reading any lines. */
    entry = builtin_find_indexed_array (array_name, flags & MAPF_CLEARARRAY);
    if (entry == 0)
***************
*** 202,207 ****
        }
  
!       /* XXX - bad things can happen if the callback modifies ENTRY, e.g.,
!        unsetting it or changing it to a non-indexed-array type. */
        bind_array_element (entry, array_index, line, 0);
  
--- 200,210 ----
        }
  
!       /* Bad things can happen if the callback modifies ENTRY, e.g.,
!        unsetting it or changing it to a non-indexed-array type, so we
!        look it up again every time we need to assign something */
!       entry = bind_array_variable (array_name, array_index, line, 0);
!       if (entry == 0 || ASSIGN_DISALLOWED (entry, 0))
!       return EXECUTION_FAILURE;
! 
        bind_array_element (entry, array_index, line, 0);
  
*** ../bash-5.3/patchlevel.h    2020-06-22 14:51:03.000000000 -0400
--- patchlevel.h        2020-10-01 11:01:28.000000000 -0400
***************
*** 26,30 ****
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 10
  
  #endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 11
  
  #endif /* _PATCHLEVEL_H_ */

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    [email protected]    http://tiswww.cwru.edu/~chet/

Reply via email to