From https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-003 Signed-off-by: Peter Korsgaard BASH PATCH REPORT ================= Bash-Release: 4.4 Patch-ID: bash44-003 Bug-Reported-by: op7ic \x00 Bug-Reference-ID: Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2016-11/msg00005.html Bug-Description: Specially-crafted input, in this case an incomplete pathname expansion bracket expression containing an invalid collating symbol, can cause the shell to crash. Patch (apply with `patch -p0'): *** a/bash-4.4/lib/glob/sm_loop.c 2016-04-10 11:23:21.000000000 -0400 --- b/lib/glob/sm_loop.c 2016-11-02 14:03:34.000000000 -0400 *************** *** 331,334 **** --- 331,340 ---- if (p[pc] == L('.') && p[pc+1] == L(']')) break; + if (p[pc] == 0) + { + if (vp) + *vp = INVALID; + return (p + pc); + } val = COLLSYM (p, pc); if (vp) *************** *** 484,487 **** --- 490,496 ---- c = FOLD (c); + if (c == L('\0')) + return ((test == L('[')) ? savep : (CHAR *)0); + if ((flags & FNM_PATHNAME) && c == L('/')) /* [/] can never match when matching a pathname. */ *** a/bash-4.4/patchlevel.h 2016-06-22 14:51:03.000000000 -0400 --- b/patchlevel.h 2016-10-01 11:01:28.000000000 -0400 *************** *** 26,30 **** looks for to find the patch level (for the sccs version string). */ ! #define PATCHLEVEL 2 #endif /* _PATCHLEVEL_H_ */ --- 26,30 ---- looks for to find the patch level (for the sccs version string). */ ! #define PATCHLEVEL 3 #endif /* _PATCHLEVEL_H_ */