[MacPorts] #45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169)
MacPorts
noreply at macports.org
Sat Sep 27 03:29:39 PDT 2014
#45162: bash @4.3.25: Vulnerable to code execution in environment variables
(CVE-2014-7169)
------------------------+----------------------
Reporter: kost.hc@… | Owner: raimue@…
Type: defect | Status: assigned
Priority: High | Milestone:
Component: ports | Version: 2.3.1
Resolution: | Keywords:
Port: bash |
------------------------+----------------------
Comment (by cal@…):
Replying to [comment:11 brian.reiter@…]:
> The NetBSD and FreeBSD solution is an excellent mitigation. It removes
the whole misfeature of passing function definitions to child shells by
default.
That may be your opinion, but doing this breaks people's scripts, and is
not something I'd be willing to do, unless bash upstream is also going to.
I think the Debian patch reduces the attack surface for future bugs in
function importing from the environment to situations where attackers
control the variable name, which mitigates the remote code execution
problems.
--
Ticket URL: <https://trac.macports.org/ticket/45162#comment:12>
MacPorts <http://www.macports.org/>
Ports system for OS X
More information about the macports-tickets
mailing list