[ANNOUNCEMENT] [1.7] Updated [security]: bash-3.2.49-23 and Windows 7 RC

Edward Lam edward@sidefx.com
Thu Jul 2 21:15:00 GMT 2009 

Hi Eric,

I got bash 3.2.49-22 running again in cygwin 1.7 after explicitly 
installing libreadline6.

Ok, so I can confirm a problem with bash 3.2.49-23 on Windows 7 RC build 
7100 64-bit. Basically, bash just crashes on startup. I don't have 
access to a Vista machine right now but it's worthwhile confirming on it.

On the given machine, I tried starting cmd.exe as Administrator (to rule 
out UAC issues):

Microsoft Windows [Version 6.1.7100]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>cd c:\cygwin\bin

c:\cygwin\bin>cygcheck -c bash cygwin libreadline7
Cygwin Package Information
Package              Version        Status
bash                 3.2.49-23      OK
cygwin               1.7.0-50       OK
libreadline7         6.0.3-1        OK

c:\cygwin\bin>bash
       5 [main] bash 1624 _cygtls::handle_exceptions: Exception: 
STATUS_ACCESS_VIOLATION
    1413 [main] bash 1624 open_stackdumpfile: Dumping stack trace to 
bash.exe.stackdump
   16897 [main] bash 1624 _cygtls::handle_exceptions: Exception: 
STATUS_ACCESS_VIOLATION
   17965 [main] bash 1624 _cygtls::handle_exceptions: Error while 
dumping state (probably corrupted stack)

I've attached the bash.exe.stackdump.

-Edward

Edward Lam wrote:
> Hi Eric,
> 
> I seem to no longer be able to install bash 3.2.49-22 in cygwin 1.7? I 
> even tried doing a fresh cygwin install, choosing explicitly to use bash 
> 3.2.49-22 instead of 3.2.49-23. During the installation, I get an error 
> saying that cygreadline6.dll is missing. Any ideas?
> 
> I also tried doing a fresh cygwin install, and then re-running 
> setup-1.7.exe to install the older bash release. Same problem.
> 
> -Edward
> 
> Eric Blake wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> A new release of bash, 3.2.49-23, has been uploaded for those testing
>> cygwin 1.7, replacing 3.2.49-22 as current.
>>
>> NEWS:
>> =====
>> This is a package refresh, built against cygwin 1.7.  It closes a buffer
>> overflow exploit security hole that was reported to me off-list; the
>> exploit was only possible when using long path names under cygwin 1.7
>> coupled with bash compiled under cygwin 1.5.  It also removes special
>> handling for DOS paths, since cygwin 1.7 is less accommodating to those
>> (use /cygdrive instead).
>>
>> There are a few things you should be aware of before using this version:
>> 1. When using binary mounts, cygwin programs try to emulate Linux.  Bash
>> on Linux does not understand \r\n line endings, but interprets the \r
>> literally, which leads to syntax errors or odd variable assignments.
>> Therefore, you will get the same behavior on Cygwin binary mounts by 
>> default.
>> 2. d2u is your friend.  You can use it to convert any problematic script
>> into binary line endings.
>> 3. Cygwin text mounts automatically work with either line ending style,
>> because the \r is stripped before bash reads the file.  If you absolutely
>> must use files with \r\n line endings, consider mounting the directory
>> where those files live as a text mount.  However, text mounts are not as
>> well tested or supported on the cygwin mailing list, so you may encounter
>> other problems with other cygwin tools in those directories.
>> 4. This version of bash has a cygwin-specific shell option, named "igncr"
>> to force bash to ignore \r, independently of cygwin's mount style.  As of
>> bash-3.2.3-5, it controls regular scripts, command substitution, and
>> sourced files.  I hope to convince the upstream bash maintainer to accept
>> this patch into the future bash 4.0 even on Linux, rather than keeping it
>> a cygwin-specific patch, but only time will tell.  There are several ways
>> to activate this option:
>> 4a. For a single affected script, add this line just after the she-bang:
>> ~ (set -o igncr) 2>/dev/null && set -o igncr; # comment is needed
>> 4b. For a single script, invoke bash explicitly with the shopt, as in
>> 'bash -o igncr ./myscript' rather than the simpler './myscript'.
>> 4c. To affect all scripts, export the environment variable BASH_ENV,
>> pointing to a file that sets the shell option as desired.  Bash will
>> source this file on startup for every script.
>> 4d. Added in the bash-3.2-2 release: export the environment variable
>> SHELLOPTS with igncr included in it.  It is read-only from within bash,
>> but you can set it before invoking bash; once in bash, it auto-tracks the
>> current state of 'set -o igncr'.  If exported, then all bash child
>> processes inherit the same option settings; with the exception added in
>> 3.2.9-11 that certain interactive options are not inherited in
>> non-interactive use.
>> 5. You can also experiment with the IFS variable for controlling how bash
>> will treat \r during variable expansion.
>> 6. The bash hack for honoring the underlying mount point of DOS-style
>> paths has been discontinued, as had been promised in several prior 
>> release
>> notes.  Use POSIX-style paths instead.
>> 7. There are varying levels of speed at which bash operates.  The fastest
>> is on a binary mount with igncr disabled (the default behavior).  Next
>> would be text mounts with igncr disabled and no \r in the underlying 
>> file.
>> Next would be binary mounts with igncr enabled.  And the slowest that 
>> bash
>> will operate is on text mounts with igncr enabled.
>> 8. If you don't like how bash behaves, then propose a patch, rather than
>> proposing idle ideas.  This turn of events has already been talked to
>> death on the mailing lists by people with many ideas, but few patches.
>> 9. If you forget to read this release announcement, the best you can
>> expect when you complain to the list is a link back to this email.
>>
>> Remember, you must not have any bash or /bin/sh instances running when 
>> you
>> upgrade the bash package.  This release requires cygwin-1.7.0-50 or
>> later; and it requires libreadline7-6.0.3-1 or later.  See also the
>> upstream documentation in /usr/share/doc/bash/.
>>
>> DESCRIPTION:
>> ============
>> Bash is an sh-compatible shell that incorporates useful features from the
>> Korn shell (ksh) and C shell (csh).  It is intended to conform to the 
>> IEEE
>> POSIX P1003.2/ISO 9945.2 Shell and Tools standard.  It offers functional
>> improvements over sh for both programming and interactive use. In
>> addition, most sh scripts can be run by Bash without modification.
>>
>> As of the bash 3.0 series, cygwin /bin/sh defaults to bash, not ash,
>> similar to Linux distributions.
>>
>> UPDATE:
>> =======
>> To update your installation, click on the "Install Cygwin now" link on 
>> the
>> http://cygwin.com/ web page.  This downloads setup.exe to your system.
>> Save it and run setup, answer the questions and pick up 'bash' in the
>> 'Base' category (it should already be selected).
>>
>> DOWNLOAD:
>> =========
>> Note that downloads from sources.redhat.com (aka cygwin.com) aren't
>> allowed due to bandwidth limitations.  This means that you will need to
>> find a mirror which has this update, please choose the one nearest to 
>> you:
>> http://cygwin.com/mirrors.html
>>
>> QUESTIONS:
>> ==========
>> If you want to make a point or ask a question the Cygwin mailing list is
>> the appropriate place.
>>
>> - --
>> Eric Blake
>> volunteer cygwin bash maintainer
>>
>> CYGWIN-ANNOUNCE UNSUBSCRIBE INFO:
>> =================================
>> To unsubscribe to the cygwin-announce mailing list, look at the
>> "List-Unsubscribe: " tag in the email header of this message.  Send email
>> to the address specified there.  It will be in the format:
>>
>> cygwin-announce-unsubscribe-YOU=YOURDOMAIN.COM@cygwin.com
>>
>> If you need more information on unsubscribing, start reading here:
>>
>> http://sourceware.org/lists.html#unsubscribe-simple
>>
>> Please read *all* of the information on unsubscribing that is available
>> starting at this URL.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (Cygwin)
>> Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkpMGLYACgkQ84KuGfSFAYBaJgCeOUFnU0wnvpQRvIxNJvnMYljF
>> yEYAnjoZP3DPn4UX8fXgBxlAwiQOFdp+
>> =cnEu
>> -----END PGP SIGNATURE-----
>>
>> -- 
>> Problem reports:       http://cygwin.com/problems.html
>> FAQ:                   http://cygwin.com/faq/
>> Documentation:         http://cygwin.com/docs.html
>> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>
> 
> 
> -- 
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> 

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: bash.exe.stackdump
URL: <http://cygwin.com/pipermail/cygwin/attachments/20090702/15e48dae/attachment.ksh>
-------------- next part --------------
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list