[MacPorts] #45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169)

MacPorts noreply at macports.org
Fri Sep 26 18:34:12 PDT 2014 

#45162: bash @4.3.25: Vulnerable to code execution in environment variables
(CVE-2014-7169)
------------------------+----------------------
  Reporter:  kost.hc@…  |      Owner:  raimue@…
      Type:  defect     |     Status:  assigned
  Priority:  High       |  Milestone:
 Component:  ports      |    Version:  2.3.1
Resolution:             |   Keywords:
      Port:  bash       |
------------------------+----------------------

Comment (by sierkb@…):

 Replying to [comment:8 cal@…]:
 > The official fix in patchlevel 26 is the same as in Debian's
 `CVE-2014-7169.diff`. I've attached a patch that updates the port and also
 ports Debian's patches. I'll leave it up to you to decide whether you also
 want Debian's patches or just upstream's fix.

 More details:

 Debian's additional so far non-official patches seem to be these here:
 [https://lists.debian.org/debian-devel-changes/2014/09/msg03214.html],
 brought onto the table by Red Hat (Florian Weimer, Huzaifa Sidhpurwala) as
 so far non-upstream patches (not yet officially completely verified and
 assimilated upstream by the GNU Bash project) and discussed here:
 //seclists.org (oss-sec): Fwd: Non-upstream patches for bash//
 [http://seclists.org/oss-sec/2014/q3/712]. Additional to the official
 patch against CVE-2014-7169, they add so-far-non-upsteam fixes against
 CVE-2014-7186 [https://access.redhat.com/security/cve/CVE-2014-7186] and
 CVE-2014-7187 [https://access.redhat.com/security/cve/CVE-2014-7187]. If
 these additional so-far-non-upstream-patches maybe will be followed by a
 further official upstream patch by the GNU project (the chance is not
 zero, that this might happen), is out of my knowledge at this time of
 writing.

 I back the statement in comment:8, it's up to you, as the maintainer of
 this port, wether you want to be conservative and be on par with the
 current upstream status or anticipate its status by going a (yet
 unofficial) step ahead.

-- 
Ticket URL: <https://trac.macports.org/ticket/45162#comment:9>
MacPorts <http://www.macports.org/>
Ports system for OS X

More information about the macports-tickets mailing list