[Secure-testing-team] Bug#734866: bash: Bash should always drop its privilege when running setuid unless -p option is given
Raphaël Hertzog
hertzog at debian.org
Fri Jan 10 14:05:03 UTC 2014
Package: bash
Version: 4.2+dfsg-1
Severity: important
Tags: security
While reading http://blog.cmpxchg8b.com/2013/08/security-debianisms.html
I discovered that Debian patches bash to not drop its privileges
when it is invoked as /bin/sh (cf privmode.diff).
As shown in the above page, it looks like this change dates back
to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586. bsmtpd
has been dropped from Debian in 2005 and I believe that there's no
reason for Debian to continue to diverge on that specific behaviour.
So please drop that change, in particular now that /bin/sh is not
even provided by bash.
Cheers,
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages bash depends on:
ii base-files 7.2
ii dash 0.5.7-3+nmu1
ii debianutils 4.4
ii libc6 2.17-97
ii libtinfo5 5.9+20130608-1
Versions of packages bash recommends:
ii bash-completion 1:2.1-2
Versions of packages bash suggests:
pn bash-doc <none>
-- no debconf information
More information about the Secure-testing-team
mailing list