Your message dated Thu, 6 Jan 2022 20:53:48 +0100
with message-id <YddIzPO2LyL/s...@eldamar.lan>
and subject line Re: Accepted bash 5.1-6 (source) into unstable
has caused the Debian Bug report #1003012,
regarding bash: Corrupted multibyte characters in command substitutions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1003012: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003012
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: bash
Version: 5.1-2+b3
Severity: critical
Justification: breaks unrelated software
Tags: patch upstream l10n
I've reported this bug on bug-bash:
https://lists.gnu.org/archive/html/bug-bash/2022-01/msg00000.html
only to learn that it's known and not fixed for months (it was known
before bullseye was released, so a timely fix would have prevented
the bug ever reaching stable):
https://savannah.gnu.org/patch/?10035
I'm reporting it as critical because it causes silent data
corruption and potentially affects each bash script in the system.
Since the bash developers don't seem to take that seriously, I'm
asking the Debian maintainers to put out a fixed version ASAP to
prevent further damage -- hopefully as a security patch. (I'm no
expert in writing exploits, but I think it's quite possible such a
bug can be exploited. I hope you don't have to wait for an actual
exploit in order to fix the bug.)
Both reports listed above contain a patch. They're different, but
either one will fix the immediate problem.
-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable-debug'), (500, 'proposed-updates-debug'), (500, 'proposed-updates'),
(500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-9-amd64 (SMP w/24 CPU threads)
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages bash depends on:
ii base-files 11.1+deb11u2
ii debianutils 4.11.2
ii libc6 2.31-13+deb11u2
ii libtinfo6 6.2+20201114-2
Versions of packages bash recommends:
ii bash-completion 1:2.11-2
Versions of packages bash suggests:
pn bash-doc <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: bash
Source-Version: 5.1-6
On Thu, Jan 06, 2022 at 04:48:44PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Format: 1.8
> Date: Thu, 06 Jan 2022 17:16:52 +0100
> Source: bash
> Architecture: source
> Version: 5.1-6
> Distribution: unstable
> Urgency: medium
> Maintainer: Matthias Klose <d...@debian.org>
> Changed-By: Matthias Klose <d...@debian.org>
> Changes:
> bash (5.1-6) unstable; urgency=medium
> .
> * Apply upstream patches 013 - 016.
patch 014 is for the upstream issue
https://savannah.gnu.org/patch/?10035, so addressing #1003012.
Closing the bugreport.
Regards,
Salvatore
--- End Message ---
