#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by cal@…): Replying to [comment:11 brian.reiter@…]:
The NetBSD and FreeBSD solution is an excellent mitigation. It removes the whole misfeature of passing function definitions to child shells by default.
That may be your opinion, but doing this breaks people's scripts, and is not something I'd be willing to do, unless bash upstream is also going to. I think the Debian patch reduces the attack surface for future bugs in function importing from the environment to situations where attackers control the variable name, which mitigates the remote code execution problems. -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:12> MacPorts <http://www.macports.org/> Ports system for OS X