Hi Chris, Chris Boot <bootc@debian.org> (2017-11-26): > On 25/11/17 16:24, Cyril Brulebois wrote: > > Busybox maintainers: are you OK with a revert until we figure out what > > to do? (Meaning we can possibly release Buster Alpha 2 without thinking > > + rewriting things…) > > I think I'd prefer not to just revert this given this is a security > thing. It reminds me quite a bit of shellshock, and that's not a path I > want to tread. > > I'd like to spend a little time investigating this to correct the > behaviour without opening ourselves to security vulnerabilities. It's > not wrong that an environment variable probably shouldn't include a '/' > character: try to set one in bash! > > $ declare -x foo/bar=foo > bash: declare: `foo/bar=foo': not a valid identifier > > Please give me a few days, I'll see what I can come up with. Right, that looks a fair approach. Worst case, if we come to the point we need to get a “fixed” busybox for the release (probably in a few days too), we might end up patching code only for the udeb build, so that we don't expose regular busybox users to that issue. I'm fine with working on the logic change to make it possible if it isn't already. KiBi.
Attachment:
signature.asc
Description: PGP signature