#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Changes (by cal@…): * cc: cal@… (added) Comment: It seems Debian pushed two new versions of bash with security fixes: - 4.2+dfsg-0.1+deb7u2 with a fix for CVE-2014-7169, see https://tracker.debian.org/news/573425 - 4.2+dfsg-0.1+deb7u3 fixing an out-of-bound array access in the bash parser and a patch that moves all exported function definitions into a separate "namespace". The patches in question are: - http://sources.debian.net/src/bash/4.3-9.2/debian/patches/CVE-2014-7169.diff... (CVE-2014-7169) - http://sources.debian.net/src/bash/4.3-9.2/debian/patches/parser- oob.patch/ (out-of-bounds access in parser) - http://sources.debian.net/src/bash/4.3-9.2/debian/patches/variables- affix.patch/ (namespaced function exports) I'll test those in a second and attach a patch. -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:6> MacPorts <http://www.macports.org/> Ports system for OS X