[MacPorts] #45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169)
MacPorts
noreply at macports.org
Fri Sep 26 18:34:12 PDT 2014
#45162: bash @4.3.25: Vulnerable to code execution in environment variables
(CVE-2014-7169)
------------------------+----------------------
Reporter: kost.hc@… | Owner: raimue@…
Type: defect | Status: assigned
Priority: High | Milestone:
Component: ports | Version: 2.3.1
Resolution: | Keywords:
Port: bash |
------------------------+----------------------
Comment (by sierkb@…):
Replying to [comment:8 cal@…]:
> The official fix in patchlevel 26 is the same as in Debian's
`CVE-2014-7169.diff`. I've attached a patch that updates the port and also
ports Debian's patches. I'll leave it up to you to decide whether you also
want Debian's patches or just upstream's fix.
More details:
Debian's additional so far non-official patches seem to be these here:
[https://lists.debian.org/debian-devel-changes/2014/09/msg03214.html],
brought onto the table by Red Hat (Florian Weimer, Huzaifa Sidhpurwala) as
so far non-upstream patches (not yet officially completely verified and
assimilated upstream by the GNU Bash project) and discussed here:
//seclists.org (oss-sec): Fwd: Non-upstream patches for bash//
[http://seclists.org/oss-sec/2014/q3/712]. Additional to the official
patch against CVE-2014-7169, they add so-far-non-upsteam fixes against
CVE-2014-7186 [https://access.redhat.com/security/cve/CVE-2014-7186] and
CVE-2014-7187 [https://access.redhat.com/security/cve/CVE-2014-7187]. If
these additional so-far-non-upstream-patches maybe will be followed by a
further official upstream patch by the GNU project (the chance is not
zero, that this might happen), is out of my knowledge at this time of
writing.
I back the statement in comment:8, it's up to you, as the maintainer of
this port, wether you want to be conservative and be on par with the
current upstream status or anticipate its status by going a (yet
unofficial) step ahead.
--
Ticket URL: <https://trac.macports.org/ticket/45162#comment:9>
MacPorts <http://www.macports.org/>
Ports system for OS X
More information about the macports-tickets
mailing list