[Secure-testing-team] Bug#763759: bash: please drop debian-specific privmode disablement patch
Henrique de Moraes Holschuh
hmh at debian.org
Thu Oct 2 13:09:53 UTC 2014
Package: bash
Version: 4.2+dfsg-0.1+deb7u3
Severity: grave
Tags: security
Justification: user security hole
This is not about a new security problem.
This bug is a request for re-evaluation of debian/patches/privmode.diff, in
light of the recent developments re. bash security. This patch was added to
Debian's bash packages a _very_ long time ago, to bash 2.03-2.
Please downgrade and tag this bug "wontfix" if you feel we should still
carry the privmode.diff patch in Debian.
The above mentioned patch disables one of the security defenses in upstream
/bin/bash against privilege escalation attacks. Specifically, it prevents
the early drop of setuid/setgid priviledges, and also prevents the "secure
behavior" (not importing shell functions, not executing startup scripts,
etc) when /bin/bash is _NOT_ used as /bin/sh.
This behaviour change is surprising to just about everyone, including Debian
users. While it is mentioned in very cryptic form in the README.Debian
file, the manpage still documents the upstream behaviour.
I request that we remove the debian/patches/privmode.diff local change from
the bash packages in unstable, and preferably also from stable and
squeeze-lts, in light of Shellshock, and also past vulnerability history.
Relevant details:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586
http://blog.cmpxchg8b.com/2013/08/security-debianisms.html
Related thread about the same issue in dash:
http://thread.gmane.org/gmane.comp.security.oss.general/10969
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
More information about the Secure-testing-team
mailing list