[OE-core] Bash security vulnerabilities - Question for master

Thu Oct 2 14:48:29 UTC 2014

With the recent vulnerabilities, a bunch of patches are being sent up to the 
list.  The content is generally fine, but I'm wondering if for master we should 
apply all of the official bash patches to get to the latest patch version, 
instead of applying various 'security' fixes that may or may not be the official 
version.

For instance, bash_4.3:

SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
[followed by a bunch of local patches]
"

ncftp .../bash/bash-4.3-patches > ls
bash43-001        bash43-004.sig    bash43-008        bash43-011.sig 
bash43-015        bash43-018.sig    bash43-022        bash43-025.sig
bash43-001.sig    bash43-005        bash43-008.sig    bash43-012 
bash43-015.sig    bash43-019        bash43-022.sig    bash43-026
bash43-002        bash43-005.sig    bash43-009        bash43-012.sig 
bash43-016        bash43-019.sig    bash43-023        bash43-026.sig
bash43-002.sig    bash43-006        bash43-009.sig    bash43-013 
bash43-016.sig    bash43-020        bash43-023.sig    bash43-027
bash43-003        bash43-006.sig    bash43-010        bash43-013.sig 
bash43-017        bash43-020.sig    bash43-024        bash43-027.sig
bash43-003.sig    bash43-007        bash43-010.sig    bash43-014 
bash43-017.sig    bash43-021        bash43-024.sig    bash43-028
bash43-004        bash43-007.sig    bash43-011        bash43-014.sig 
bash43-018        bash43-021.sig    bash43-025        bash43-028.sig

The community has 28 patches for various bugs (and these security issues) 
posted.  Would it make sense to update to bash 4.3 (28)?

In our bash 3.2.48:

SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \

${GNU_MIRROR}/bash/bash-3.2-patches/bash32-049;apply=yes;striplevel=0;name=patch001 
\

${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=patch002 
\

${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=patch003 
\
...
"

Some of the upstream items are applied, but I'm wondering if we should extend 
that to patch level 55 (the latest) in the same way.

Both patch level 4.3 - 28 and 3.2.48 - 55 will apply all of the fixes that keep 
getting submitted plus a set of other general bugs.  It will also make it easier 
for security scanners to simply check the version and know the right fixes have 
been applied.

(Note, there will be at least one more patch coming out that fixes a few more 
defects according to the mailing lists.  I expect it today or tomorrow.)

--Mark