I've reported this bug on bug-bash: https://lists.gnu.org/archive/html/bug-bash/2022-01/msg00000.html only to learn that it's known and not fixed for months (it was known before bullseye was released, so a timely fix would have prevented the bug ever reaching stable): https://savannah.gnu.org/patch/?10035 I'm reporting it as critical because it causes silent data corruption and potentially affects each bash script in the system. Since the bash developers don't seem to take that seriously, I'm asking the Debian maintainers to put out a fixed version ASAP to prevent further damage -- hopefully as a security patch. (I'm no expert in writing exploits, but I think it's quite possible such a bug can be exploited. I hope you don't have to wait for an actual exploit in order to fix the bug.) Both reports listed above contain a patch. They're different, but either one will fix the immediate problem.
Source: bash Source-Version: 5.1-6 patch 014 is for the upstream issue https://savannah.gnu.org/patch/?10035, so addressing #1003012. Closing the bugreport. Regards, Salvatore
Source: bash Source-Version: 5.1-6 patch 014 is for the upstream issue https://savannah.gnu.org/patch/?10035, so addressing #1003012. Closing the bugreport. Regards, Salvatore
Thanks for the quick fix! However, it's not clear to me if the fix will go to bullseye-security or at least bullseye-updates or only to testing. (Is there some way to find this out on the web site or so?) I need to know because now I have to either wait for the bullseye package or backport it myself, and I'd like to avoid having to do both (and thus rebooting my systems twice). Frank
Hi Frank, Just in avoidance of doubt, thanks goes to Matthias, I just fixed the BTS metadata as the bug was not closed along with the upload. From a security team perspective, we do not plan to release the fix as a DSA via the security-archive, but a fix would be welcome to be included in the next bullseye point release. Apart the patch "014" for this issue, maybe it makes sense to pick up as well other of the applied patches (have not looked at the others). Matthias, would you prepare such an update? TTBOMK the next bullseye release will be around february 2022, according to the planning of the release team. Regards, Salvatore
Hi Salvatore, Thanks to Matthias then! :) Upstream did this; bash-5.1.16 includes this patch and other recent patches. OK, that's too late for me, so I'm patching it myself. Thanks for the info. Frank
Is new version bullseye released? I encountered the same issue. On Sat, 8 Jan 2022 08:52:28 +0100 Salvatore Bonaccorso <carnil@debian.org> wrote:
We believe that the bug you reported is fixed in the latest version of bash, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1003012@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <carnil@debian.org> (supplier of updated bash package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Sun, 27 Mar 2022 20:40:30 +0200 Source: bash Architecture: source Version: 5.1-2+deb11u1 Distribution: bullseye Urgency: medium Maintainer: Matthias Klose <doko@debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Closes: 1003012 Changes: bash (5.1-2+deb11u1) bullseye; urgency=medium . * Non-maintainer upload. * 1-byte buffer overflow read in subst.c read_comsub (Closes: #1003012) Checksums-Sha1: 33b5c5a6d326565b57da14fb2e8020e12204a247 2458 bash_5.1-2+deb11u1.dsc 1c19b9453c378e18c7531fcf2628bd7f36b1e6a5 90828 bash_5.1-2+deb11u1.debian.tar.xz 803a8191469abd6b4d476577cda479ccefa747b3 6944 bash_5.1-2+deb11u1_source.buildinfo Checksums-Sha256: a475836201a8b2937dd83180c86ede2be07ea57ff41d02dfd639c3e08fa94045 2458 bash_5.1-2+deb11u1.dsc 2560b99eb87dd0aa3a15b88c31cc801630cbda93d566a936b643da8dff30627b 90828 bash_5.1-2+deb11u1.debian.tar.xz c986474f3263f1e246f84eb8e1d39b964d1b8bb0257742584bbed6ae04661719 6944 bash_5.1-2+deb11u1_source.buildinfo Files: 647560311ca62a9b84806c034d6c4c36 2458 base required bash_5.1-2+deb11u1.dsc 17ee378557d9dc3eeda65936984d502b 90828 base required bash_5.1-2+deb11u1.debian.tar.xz 35de4ff395f4ec269bfa927c930ec37b 6944 base required bash_5.1-2+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmJAsdBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EDyMP/0YDLaK0XcWWOKVmUhsK48GDzgid7UR1 MRWqqFOBqnzGlDjyup4OBgJOnB5vmHifwz/AXuoWDBU17kkYAB7Ur1yeIl0jtGCW MVmAHdv2z5v7lXSSgTAJs6YZLvEPVXCaNxBW5sb9RXI185+HPTTk71dJqLyGss3x m4Q5Acieb3Gp/YYZcTVxRY1sgFmmDWuDXYkd0+mAEvRgzVrRvSd1jenRFtC72DAC OlQ65Lv+a/lB/DEbUu8Yt+7AODwqGUte1CqKEk7aNWu4jnUdGS7Z0L629H1Dc+R1 TiWhY8+OrL2d5Z2jgjLfNmr8Iiz75oTEb1flGfaegrpO5hdb+wBYclgQGguxdYL5 N5JsgCFcAvMlhUiVFj9R2rrICE8C1hEEaIfW7/t0KQ838rt9K2SCtQzMHCAyHbYB Z0dK3oJ15neyAJcDsBt2ubkPVRowF4CHBKZftS4icjrPzSqCCTzsGLqtmyvPR0lP 24UtlXGcZxZkDJ3kXxGB9gZLy9sQiIEJyR5Yrko8U9RqgRoAV4QRwpeBbulpstN0 N+822rWdAdvB20UgY0ud6lBZrc+0iAJmZXxRfGTbubyceEIS2Ah2YHmbbwmidSWU KTDP7LMUZ04+k/z9yV4vNsr+fZGdTOTEWXapqCfNbkVgbxHpcbKSg03ebJY6wQ/N L0RC1EqLmh5W =t9Lx -----END PGP SIGNATURE-----