[1.7] Updated [security]: bash-3.2.49-23
Thu Jul 2 02:21:00 GMT 2009
-----BEGIN PGP SIGNED MESSAGE-----
A new release of bash, 3.2.49-23, has been uploaded for those testing
cygwin 1.7, replacing 3.2.49-22 as current.
This is a package refresh, built against cygwin 1.7. It closes a buffer
overflow exploit security hole that was reported to me off-list; the
exploit was only possible when using long path names under cygwin 1.7
coupled with bash compiled under cygwin 1.5. It also removes special
handling for DOS paths, since cygwin 1.7 is less accommodating to those
(use /cygdrive instead).
There are a few things you should be aware of before using this version:
1. When using binary mounts, cygwin programs try to emulate Linux. Bash
on Linux does not understand \r\n line endings, but interprets the \r
literally, which leads to syntax errors or odd variable assignments.
Therefore, you will get the same behavior on Cygwin binary mounts by default.
2. d2u is your friend. You can use it to convert any problematic script
into binary line endings.
3. Cygwin text mounts automatically work with either line ending style,
because the \r is stripped before bash reads the file. If you absolutely
must use files with \r\n line endings, consider mounting the directory
where those files live as a text mount. However, text mounts are not as
well tested or supported on the cygwin mailing list, so you may encounter
other problems with other cygwin tools in those directories.
4. This version of bash has a cygwin-specific shell option, named "igncr"
to force bash to ignore \r, independently of cygwin's mount style. As of
bash-3.2.3-5, it controls regular scripts, command substitution, and
sourced files. I hope to convince the upstream bash maintainer to accept
this patch into the future bash 4.0 even on Linux, rather than keeping it
a cygwin-specific patch, but only time will tell. There are several ways
to activate this option:
4a. For a single affected script, add this line just after the she-bang:
~ (set -o igncr) 2>/dev/null && set -o igncr; # comment is needed
4b. For a single script, invoke bash explicitly with the shopt, as in
'bash -o igncr ./myscript' rather than the simpler './myscript'.
4c. To affect all scripts, export the environment variable BASH_ENV,
pointing to a file that sets the shell option as desired. Bash will
source this file on startup for every script.
4d. Added in the bash-3.2-2 release: export the environment variable
SHELLOPTS with igncr included in it. It is read-only from within bash,
but you can set it before invoking bash; once in bash, it auto-tracks the
current state of 'set -o igncr'. If exported, then all bash child
processes inherit the same option settings; with the exception added in
3.2.9-11 that certain interactive options are not inherited in
5. You can also experiment with the IFS variable for controlling how bash
will treat \r during variable expansion.
6. The bash hack for honoring the underlying mount point of DOS-style
paths has been discontinued, as had been promised in several prior release
notes. Use POSIX-style paths instead.
7. There are varying levels of speed at which bash operates. The fastest
is on a binary mount with igncr disabled (the default behavior). Next
would be text mounts with igncr disabled and no \r in the underlying file.
Next would be binary mounts with igncr enabled. And the slowest that bash
will operate is on text mounts with igncr enabled.
8. If you don't like how bash behaves, then propose a patch, rather than
proposing idle ideas. This turn of events has already been talked to
death on the mailing lists by people with many ideas, but few patches.
9. If you forget to read this release announcement, the best you can
expect when you complain to the list is a link back to this email.
Remember, you must not have any bash or /bin/sh instances running when you
upgrade the bash package. This release requires cygwin-1.7.0-50 or
later; and it requires libreadline7-6.0.3-1 or later. See also the
upstream documentation in /usr/share/doc/bash/.
Bash is an sh-compatible shell that incorporates useful features from the
Korn shell (ksh) and C shell (csh). It is intended to conform to the IEEE
POSIX P1003.2/ISO 9945.2 Shell and Tools standard. It offers functional
improvements over sh for both programming and interactive use. In
addition, most sh scripts can be run by Bash without modification.
As of the bash 3.0 series, cygwin /bin/sh defaults to bash, not ash,
similar to Linux distributions.
To update your installation, click on the "Install Cygwin now" link on the
http://cygwin.com/ web page. This downloads setup.exe to your system.
Save it and run setup, answer the questions and pick up 'bash' in the
'Base' category (it should already be selected).
Note that downloads from sources.redhat.com (aka cygwin.com) aren't
allowed due to bandwidth limitations. This means that you will need to
find a mirror which has this update, please choose the one nearest to you:
If you want to make a point or ask a question the Cygwin mailing list is
the appropriate place.
volunteer cygwin bash maintainer
CYGWIN-ANNOUNCE UNSUBSCRIBE INFO:
To unsubscribe to the cygwin-announce mailing list, look at the
"List-Unsubscribe: " tag in the email header of this message. Send email
to the address specified there. It will be in the format:
If you need more information on unsubscribing, start reading here:
Please read *all* of the information on unsubscribing that is available
starting at this URL.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Cygwin-announce