Package: bash Version: 4.2+dfsg-0.1+deb7u3 Severity: grave Tags: security Justification: user security hole
This is not about a new security problem. This bug is a request for re-evaluation of debian/patches/privmode.diff, in light of the recent developments re. bash security. This patch was added to Debian's bash packages a _very_ long time ago, to bash 2.03-2. Please downgrade and tag this bug "wontfix" if you feel we should still carry the privmode.diff patch in Debian. The above mentioned patch disables one of the security defenses in upstream /bin/bash against privilege escalation attacks. Specifically, it prevents the early drop of setuid/setgid priviledges, and also prevents the "secure behavior" (not importing shell functions, not executing startup scripts, etc) when /bin/bash is _NOT_ used as /bin/sh. This behaviour change is surprising to just about everyone, including Debian users. While it is mentioned in very cryptic form in the README.Debian file, the manpage still documents the upstream behaviour. I request that we remove the debian/patches/privmode.diff local change from the bash packages in unstable, and preferably also from stable and squeeze-lts, in light of Shellshock, and also past vulnerability history. Relevant details: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586 http://blog.cmpxchg8b.com/2013/08/security-debianisms.html Related thread about the same issue in dash: http://thread.gmane.org/gmane.comp.security.oss.general/10969 -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
