[Secure-testing-team] Bug#781056: bash: undocumented deviation from upstream behaviour
Christoph Anton Mitterer
calestyo at scientia.net
Mon Mar 23 21:12:18 UTC 2015
Package: bash
Version: 4.3-12
Severity: normal
Tags: security
Hi.
Apparently there's some strange patch applied against the Debian
version of bash, which allows suid scripts to be executed
(isn't that a security issue?).
It also seems to invalidate that documented behaviour from the manpage:
>If the shell is started with the effective user (group) id not equal to
>the real user (group) id, and the -p option is not supplied, no startup
>files are read, shell functions are not inherited from the environment,
>the SHELLOPTS, BASHOPTS, CDPATH, and GLOBIGNORE variables, if they
>appear in the environment, are ignored, and the effective user id is
>set to the real user id. If the -p option is supplied at invocation,
>the startup behavior is the same, but the effective user id is not
>reset.
So could you please either correct the behaviour or accordingly remove
that documentation and add it to a secution of deviations between
upstream and Debian?
Cheers,
Chris.
More information about the Secure-testing-team
mailing list