[ 17:19 ehaupt  ]

• 423003 shells/bash/Makefile
• 423003 shells/bash/distinfo
• 423003 shells/bash/files/extrapatch-implicitcd
• 423003 shells/bash/files/extrapatch-import-functions
• 423003 shells/bash/files/patch-config-top.h
• 423003 shells/bash/files/patch-doc_Makefile.in
• 423003 shells/bash/files/patch-doc_bash.1
• 423003 shells/bash/files/patch-doc_bashref.texi
• 423003 shells/bash/files/patch-lib_readline_display.c
• 423003 shells/bash/pkg-plist

Update to 4.4

Differential Revision:  https://reviews.freebsd.org/D8085

[ 16:47 bdrewery  ]

• 369467 shells/bash/Makefile
• 369467 shells/bash/distinfo
• 369467 shells/bash/files/extrapatch-import-functions

- Update to patchlevel 27 which changes how functions are exported.
  This should eliminate the recent vulnerabilities, but keep the
  requirement for --import-functions/IMPORTFUNCTIONS option for now.
- Loosen the --import-functions requirement so it is not needed when running
  an interactive shell. It is already disallowed for privileged/setuid mode.
- Show an error on stderr when an imported function is ignored.

[ 20:33 bdrewery  ]

• 369341 UPDATING
• 369341 shells/bash/Makefile
• 369341 shells/bash/files/extrapatch-import-functions

Disable function importing from the environment by default.  This can be
enabled by using --import-functions or enabling the IMPORTFUNCTIONS option.

This removes the risk of further parser bugs leading to code execution, as
well as the risk to setuid scripts and poorly written applications that
do not cleanse their environment [1][2].

Also note that there is an unofficial 4.3.26 floating around that has not yet
been officially released.  r369261 covers the change in 4.3.26.

See also:
  http://seclists.org/oss-sec/2014/q3/747 [1]
  http://seclists.org/oss-sec/2014/q3/746 [2]
  http://seclists.org/oss-sec/2014/q3/755 [3]

Obtained from:	NetBSD (based on) [3]
PR:		193932
Reviewed by:	Eric Vangyzen
With hat:	portmgr