Hello Frank I think that had you tested the devel branch instead of the last release, you could have skipped a lot of testing (but how would you have known? it's an easy thing to miss). https://savannah.gnu.org/patch/?10035 seems to have gone the "easy fix", which you discarded to get a more thorough one. I was impressed as well by your careful analysis.
Chet, I think you should consider if Frank patch isn't better than the previous one. I agree however that it should be published as an official patch. 1/512th chance of corruption, and only on certain bash versions is unlikely to be noticed easily. Which is doesn't mean this isn't really important. Think for instance what could happen with this affecting a pass(1) wrapper. Frank, I don't think your harsh mail is appropriate, even though I feel your frustration. By the way, your reproducer is not working for me with an unpatched 5.1.8: > printf "%511s\xc3\xa4" | env -i LC_MONETARY=C.UTF-8 ./bash-5.1.8/bash /tmp/bb > | sha1sum > c4df63043ca5b49c0a236e2ec7424ae8c34d7bad which is just "%511s\xc3\xa4\n" The other test case (reproducer.sh) does show the bug with the same binary. Or, an even simpler one (assuming a utf-8 locale, like almost everyone uses these days): $ printf "%511s\xc3\xa4" | ./bash -c 'a="$(echo a)"; d=$(cat); echo "$d"' | sed 's/^ *//' Ö� where it should have output: ä As for patching the systems, I think this deserves being patched even on stable distros. Albeit I would prefer that Chet released an official patch first. Best regards
