[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SCM] GNU Autoconf source repository branch, master, updated. v2.69-131-

From: Eric Blake
Subject: [SCM] GNU Autoconf source repository branch, master, updated. v2.69-131-g247b02e
Date: Mon, 03 Nov 2014 06:26:44 +0000

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Autoconf source repository".;a=commitdiff;h=247b02e5a5bb79ca6666e91de02ae2d3cb0cd325

The branch, master has been updated
       via  247b02e5a5bb79ca6666e91de02ae2d3cb0cd325 (commit)
       via  36b77d7db8371ef0e486e44a4ab0e7afb55bed6a (commit)
      from  0263a9ff90dd4a8434dd60e3bc42916099ba9427 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 247b02e5a5bb79ca6666e91de02ae2d3cb0cd325
Author: Gary V. Vaughan <address@hidden>
Date:   Mon Nov 3 07:25:03 2014 +0100

    tests: avoid spurious test failure with libtool 2.4.3
    Based on a report by Bruce Dubbs.
    * tests/ (Libtool): Be tolerant of 'quote' replacing the
    older `quote'.
    Signed-off-by: Eric Blake <address@hidden>

commit 36b77d7db8371ef0e486e44a4ab0e7afb55bed6a
Author: Eric Blake <address@hidden>
Date:   Sat Sep 27 18:24:06 2014 -0600

    docs: mention that not all values can be exported
    There has been a LOT of news about bash's Shell Shock bug lately.
    Document some of the ramifications it has on portable scripting.
    * doc/autoconf.texi (Limitations of Builtins) <export>: Add some
    details about Shell Shock CVE-2014-6271.
    Signed-off-by: Eric Blake <address@hidden>


Summary of changes:
 doc/autoconf.texi |   23 +++++++++++++++++++++++
 tests/  |    2 +-
 2 files changed, 24 insertions(+), 1 deletions(-)

diff --git a/doc/autoconf.texi b/doc/autoconf.texi
index e2137ae..ace1675 100644
--- a/doc/autoconf.texi
+++ b/doc/autoconf.texi
@@ -17668,6 +17668,29 @@ $ @kbd{/bin/sh -c 'export foo; foo=bar; echo $foo'}
 @end example
+Posix requires @command{export} to work with any arbitrary value for the
+contents of the variable being exported, as long as the total size of
+the environment combined with arguments doesn't exceed @code{ARG_MAX}
+when executing a child process.  However, some shells have extensions
+that involve interpreting some environment values specially, regardless
+of the variable name.  We currently know of one case: all versions of
+Bash released prior to 27 September 2014 intepret an environment
+variable with an initial content substring of @code{() @{} as an
+exported function definition (this is the ``Shellshock'' remote
+execution bug, CVE-2014-6271 and friends, where it was possible to
+eploit the function parser to cause remote code execution on child bash
+startup; newer versions of Bash use special environment variable
address@hidden instead of values to implement the same feature).
+There may be entries inherited into the environment that are not valid
+as shell variable names; Posix states that processes should be tolerant
+of these names.  Some shells such as @command{dash} do this by removing
+those names from the environment at startup, while others such as
address@hidden hide the entry from shell access but still pass it on to
+child processes.  While you can set such names using @command{env} for a
+direct child process, you cannot rely on them being preserved through an
+intermediate pass through the shell.
 @item @command{false}
 @c ------------------
 @prindex @command{false}
diff --git a/tests/ b/tests/
index a9dc33c..d4702cd 100644
--- a/tests/
+++ b/tests/
@@ -57,7 +57,7 @@ AT_CHECK([./config.guess || exit 77], [], [ignore], [ignore])
 # Make sure at-path contains something valid, and let the test suite
 # display it when verbose.  And fail, skipping would too easily hide
 # problems.
-AT_CHECK([sed -n ["s,^.*\`\\(/[^']*\\)'.*,\\1,p"] stdout], [0], [stdout])
+AT_CHECK([sed -n ["s,^[^']*[\`']\\(/[^']*\\)'.*,\\1,p"] stdout], [0], [stdout])
 AT_CHECK([test -f "`sed -n 1p stdout`"])
 # Older libtoolize installed everything but install-sh...

GNU Autoconf source repository

reply via email to

[Prev in Thread] Current Thread [Next in Thread]