new file mode 100644
@@ -0,0 +1,84 @@
+Fix CVE-2014-6271
+
+specially-crafted environment variables can be used to inject shell commands
+taken from
+https://bugzilla.redhat.com/show_bug.cgi?id=1141597
+
+Upstream-Status: Submitted
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+Index: bash-3.2.48/variables.c
+===================================================================
+--- bash-3.2.48.orig/variables.c 2008-11-18 05:14:57.000000000 -0800
++++ bash-3.2.48/variables.c 2014-09-26 09:12:58.700080056 -0700
+@@ -318,12 +318,10 @@
+ temp_string[char_index] = ' ';
+ strcpy (temp_string + char_index + 1, string);
+
+- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+-
+- /* Ancient backwards compatibility. Old versions of bash exported
+- functions like name()=() {...} */
+- if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+- name[char_index - 2] = '\0';
++ /* Don't import function names that are invalid identifiers from the
++ environment. */
++ if (legal_identifier (name))
++ parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+
+ if (temp_var = find_function (name))
+ {
+@@ -332,10 +330,6 @@
+ }
+ else
+ report_error (_("error importing function definition for `%s'"), name);
+-
+- /* ( */
+- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+- name[char_index - 2] = '('; /* ) */
+ }
+ #if defined (ARRAY_VARS)
+ # if 0
+Index: bash-3.2.48/builtins/common.h
+===================================================================
+--- bash-3.2.48.orig/builtins/common.h 2006-03-06 06:38:44.000000000 -0800
++++ bash-3.2.48/builtins/common.h 2014-09-26 09:12:58.700080056 -0700
+@@ -33,6 +33,8 @@
+ #define SEVAL_RESETLINE 0x010
+
+ /* Flags for describe_command, shared between type.def and command.def */
++#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
++#define SEVAL_ONECMD 0x100 /* only allow a single command */
+ #define CDESC_ALL 0x001 /* type -a */
+ #define CDESC_SHORTDESC 0x002 /* command -V */
+ #define CDESC_REUSABLE 0x004 /* command -v */
+Index: bash-3.2.48/builtins/evalstring.c
+===================================================================
+--- bash-3.2.48.orig/builtins/evalstring.c 2008-11-18 05:15:12.000000000 -0800
++++ bash-3.2.48/builtins/evalstring.c 2014-09-26 09:12:58.700080056 -0700
+@@ -234,6 +234,14 @@
+ {
+ struct fd_bitmap *bitmap;
+
++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
++ {
++ internal_warning ("%s: ignoring function definition attempt", from_file);
++ should_jump_to_top_level = 0;
++ last_result = last_command_exit_value = EX_BADUSAGE;
++ break;
++ }
++
+ bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+ begin_unwind_frame ("pe_dispose");
+ add_unwind_protect (dispose_fd_bitmap, bitmap);
+@@ -291,6 +299,9 @@
+ dispose_command (command);
+ dispose_fd_bitmap (bitmap);
+ discard_unwind_frame ("pe_dispose");
++
++ if (flags & SEVAL_ONECMD)
++ break;
+ }
+ }
+ else
new file mode 100644
@@ -0,0 +1,101 @@
+Fix CVE-2014-6271
+
+specially-crafted environment variables can be used to inject shell commands
+taken from
+https://bugzilla.redhat.com/show_bug.cgi?id=1141597
+
+Upstream-Status: Submitted
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+Index: bash-4.3/variables.c
+===================================================================
+--- bash-4.3.orig/variables.c 2014-02-14 08:55:12.000000000 -0800
++++ bash-4.3/variables.c 2014-09-26 08:40:24.704080056 -0700
+@@ -358,13 +358,11 @@
+ temp_string[char_index] = ' ';
+ strcpy (temp_string + char_index + 1, string);
+
+- if (posixly_correct == 0 || legal_identifier (name))
+- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+-
+- /* Ancient backwards compatibility. Old versions of bash exported
+- functions like name()=() {...} */
+- if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+- name[char_index - 2] = '\0';
++ /* Don't import function names that are invalid identifiers from the
++ environment, though we still allow them to be defined as shell
++ variables. */
++ if (legal_identifier (name))
++ parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+
+ if (temp_var = find_function (name))
+ {
+@@ -381,10 +379,6 @@
+ last_command_exit_value = 1;
+ report_error (_("error importing function definition for `%s'"), name);
+ }
+-
+- /* ( */
+- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+- name[char_index - 2] = '('; /* ) */
+ }
+ #if defined (ARRAY_VARS)
+ # if ARRAY_EXPORT
+Index: bash-4.3/subst.c
+===================================================================
+--- bash-4.3.orig/subst.c 2014-01-23 13:26:37.000000000 -0800
++++ bash-4.3/subst.c 2014-09-26 08:40:24.708080056 -0700
+@@ -8029,7 +8029,9 @@
+
+ goto return0;
+ }
+- else if (var = find_variable_last_nameref (temp1))
++ else if (var && (invisible_p (var) || var_isset (var) == 0))
++ temp = (char *)NULL;
++ else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
+ {
+ temp = nameref_cell (var);
+ #if defined (ARRAY_VARS)
+Index: bash-4.3/builtins/common.h
+===================================================================
+--- bash-4.3.orig/builtins/common.h 2013-07-08 13:54:47.000000000 -0700
++++ bash-4.3/builtins/common.h 2014-09-26 08:40:24.700080056 -0700
+@@ -33,6 +33,8 @@
+ #define SEVAL_RESETLINE 0x010
+ #define SEVAL_PARSEONLY 0x020
+ #define SEVAL_NOLONGJMP 0x040
++#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
++#define SEVAL_ONECMD 0x100 /* only allow a single command */
+
+ /* Flags for describe_command, shared between type.def and command.def */
+ #define CDESC_ALL 0x001 /* type -a */
+Index: bash-4.3/builtins/evalstring.c
+===================================================================
+--- bash-4.3.orig/builtins/evalstring.c 2014-02-11 06:42:10.000000000 -0800
++++ bash-4.3/builtins/evalstring.c 2014-09-26 08:40:24.700080056 -0700
+@@ -308,6 +308,14 @@
+ {
+ struct fd_bitmap *bitmap;
+
++ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
++ {
++ internal_warning ("%s: ignoring function definition attempt", from_file);
++ should_jump_to_top_level = 0;
++ last_result = last_command_exit_value = EX_BADUSAGE;
++ break;
++ }
++
+ bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+ begin_unwind_frame ("pe_dispose");
+ add_unwind_protect (dispose_fd_bitmap, bitmap);
+@@ -368,6 +376,9 @@
+ dispose_command (command);
+ dispose_fd_bitmap (bitmap);
+ discard_unwind_frame ("pe_dispose");
++
++ if (flags & SEVAL_ONECMD)
++ break;
+ }
+ }
+ else
@@ -12,6 +12,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
file://mkbuiltins_have_stringize.patch \
file://build-tests.patch \
file://test-output.patch \
+ file://shellshock.patch \
file://run-ptest \
"
@@ -9,6 +9,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
file://mkbuiltins_have_stringize.patch \
file://build-tests.patch \
file://test-output.patch \
+ file://shellshock.patch \
file://run-ptest \
"