Re: bash without importing shell functions from the environment
Hi Ian,
On Thu, September 25, 2014 17:29, Ian Jackson wrote:
> I have prepared bash packages which do not honour any shell functions
> they find in the environment. IMO that is a crazy feature, which
> ought to be disabled. (I'm running this on chiark now and nothing has
> visibly broken yet.)
> A codesearch [1] shows that this change will break very few things.
> Arguably we (Debian) should apply this in sid (hence this bug report).
> Doing it in security updates to stable releases is sadly too risky.
> But people who want to take that risk themselves are welcome to
> install my packages.
Thanks for your message, I'm sure it's useful to people who just want to
be safe and are sure that they do not require this feature. As you say,
given the known real world usage of this functionality this is still too
risky to upload to stable.
Discussions are ongoing on how to address this issue in a way that's
acceptable in terms of breakage to existing systems.
Huzaifa Sidhpurwala's message posted to oss-security just now gives a good
state of affairs of the current thinking and accompanying patches to apply
and/or review.
http://marc.info/?l=oss-security&m=141166689117442&w=2
Cheers,
Thijs
Reply to: