Package: bash Version: 4.3-12 Severity: normal Tags: security
Hi. Apparently there's some strange patch applied against the Debian version of bash, which allows suid scripts to be executed (isn't that a security issue?). It also seems to invalidate that documented behaviour from the manpage: >If the shell is started with the effective user (group) id not equal to >the real user (group) id, and the -p option is not supplied, no startup >files are read, shell functions are not inherited from the environment, >the SHELLOPTS, BASHOPTS, CDPATH, and GLOBIGNORE variables, if they >appear in the environment, are ignored, and the effective user id is >set to the real user id. If the -p option is supplied at invocation, >the startup behavior is the same, but the effective user id is not >reset. So could you please either correct the behaviour or accordingly remove that documentation and add it to a secution of deviations between upstream and Debian? Cheers, Chris. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
