#45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169) ------------------------+---------------------- Reporter: kost.hc@… | Owner: raimue@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.3.1 Resolution: | Keywords: Port: bash | ------------------------+---------------------- Comment (by sierkb@…): Replying to [comment:8 cal@…]:
The official fix in patchlevel 26 is the same as in Debian's `CVE-2014-7169.diff`. I've attached a patch that updates the port and also ports Debian's patches. I'll leave it up to you to decide whether you also want Debian's patches or just upstream's fix.
More details: Debian's additional so far non-official patches seem to be these here: [https://lists.debian.org/debian-devel-changes/2014/09/msg03214.html], brought onto the table by Red Hat (Florian Weimer, Huzaifa Sidhpurwala) as so far non-upstream patches (not yet officially completely verified and assimilated upstream by the GNU Bash project) and discussed here: //seclists.org (oss-sec): Fwd: Non-upstream patches for bash// [http://seclists.org/oss-sec/2014/q3/712]. Additional to the official patch against CVE-2014-7169, they add so-far-non-upsteam fixes against CVE-2014-7186 [https://access.redhat.com/security/cve/CVE-2014-7186] and CVE-2014-7187 [https://access.redhat.com/security/cve/CVE-2014-7187]. If these additional so-far-non-upstream-patches maybe will be followed by a further official upstream patch by the GNU project (the chance is not zero, that this might happen), is out of my knowledge at this time of writing. I back the statement in comment:8, it's up to you, as the maintainer of this port, wether you want to be conservative and be on par with the current upstream status or anticipate its status by going a (yet unofficial) step ahead. -- Ticket URL: <https://trac.macports.org/ticket/45162#comment:9> MacPorts <http://www.macports.org/> Ports system for OS X