[MacPorts] #45162: bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169)
MacPorts
noreply at macports.org
Fri Sep 26 15:50:23 PDT 2014
#45162: bash @4.3.25: Vulnerable to code execution in environment variables
(CVE-2014-7169)
------------------------+----------------------
Reporter: kost.hc@… | Owner: raimue@…
Type: defect | Status: assigned
Priority: High | Milestone:
Component: ports | Version: 2.3.1
Resolution: | Keywords:
Port: bash |
------------------------+----------------------
Changes (by cal@…):
* cc: cal@… (added)
Comment:
It seems Debian pushed two new versions of bash with security fixes:
- 4.2+dfsg-0.1+deb7u2 with a fix for CVE-2014-7169, see
https://tracker.debian.org/news/573425
- 4.2+dfsg-0.1+deb7u3 fixing an out-of-bound array access in the bash
parser and a patch that moves all exported function definitions into a
separate "namespace".
The patches in question are:
-
http://sources.debian.net/src/bash/4.3-9.2/debian/patches/CVE-2014-7169.diff/
(CVE-2014-7169)
- http://sources.debian.net/src/bash/4.3-9.2/debian/patches/parser-
oob.patch/ (out-of-bounds access in parser)
- http://sources.debian.net/src/bash/4.3-9.2/debian/patches/variables-
affix.patch/ (namespaced function exports)
I'll test those in a second and attach a patch.
--
Ticket URL: <https://trac.macports.org/ticket/45162#comment:6>
MacPorts <http://www.macports.org/>
Ports system for OS X
More information about the macports-tickets
mailing list