Package: bash Version: 4.3-9.2 Severity: wishlist From reading today's discussion on oss-sec, it's clear that there is a lot of fun vulnerability potential in importing functions from the environment. This is a surprising feature that most people, including me[0], didn't even know existed, and exposing bash's parser to untrusted input, even if the fault of the caller, is unwise.
NetBSD and FreeBSD have applied a patch[1] that requires an option to enable this feature. Please apply it to Debian's version. I realize it breaks backwards compatibility, but the benefits are worth it, especially considering that bash is an essential package and cannot be removed. [0] I've been using (and developing on) Linux since about 2000. [1] http://seclists.org/oss-sec/2014/q3/755 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.17-rc5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages bash depends on: ii base-files 7.5 ii dash 0.5.7-4 ii debianutils 4.4 ii libc6 2.19-11 ii libtinfo5 5.9+20140913-1 Versions of packages bash recommends: pn bash-completion <none> Versions of packages bash suggests: pn bash-doc <none> -- no debconf information -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
