Re: Bug#762839: bash without importing shell functions from the environment
On Thu, Sep 25, 2014 at 04:29:05PM +0100, Ian Jackson wrote:
> Package: bash
> Version: 4.1-3
>
> I have prepared bash packages which do not honour any shell functions
> they find in the environment. IMO that is a crazy feature, which
> ought to be disabled. (I'm running this on chiark now and nothing has
> visibly broken yet.)
>
> Packages (i386) for squeeze, wheezy and sid are here:
> http://www.chiark.greenend.org.uk/~ian/bash-noshellfunctions/
>
> dgit format git branches are here:
> git://git.chiark.greenend.org.uk/~ianmdlvl/bash.git
> http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/bash.git/
>
> A codesearch [1] shows that this change will break very few things.
> Arguably we (Debian) should apply this in sid (hence this bug report).
> Doing it in security updates to stable releases is sadly too risky.
> But people who want to take that risk themselves are welcome to
> install my packages.
>
> (It took me merely a few moments with the source code to prepare the
> code patch. But then I had to spend an hour or two wrestling with the
> patch systems of the packages in squeeze and wheezy. I would like to
> take this opportunity to say how much I appreciate the work of the
> security team, who have to cope on a daily basis with [CoC violation]
> such as that found in the squeeze and wheezy bash Debian `source'
> packages.)
Note that an upstreamable change would be to, at the very least, disable
it in posix mode (the one you get when running bash as sh), since
export -f is, after all, a bashism.
Mike
Reply to: