On Sat, 01 Apr 2017 at 14:31:48 +0200, cgzones wrote:
> Due to #842037, bash is currently shipped without PIE[1] support.
> Please consider adding a package bash-pie, which Conflicts and
> Provides bash, or upload a PIE-enabled version to stretch-backports
> after release.
On Sat, 05 Aug 2017 at 13:58:28 +0200, Christian Göttsche wrote:
> severity 859263 serious
'serious' severity is for serious violations of Debian Policy. Please
could you clarify which section of Debian Policy requires bash to be
compiled as a position-independent executable, or downgrade this bug
to a lower severity if there is no such requirement?
> tags 859263 patch security
PIE is a "security hardening" mechanism that makes it more difficult to
exploit security vulnerabilties. How is its absence a security
vulnerability, and how would an attacker provide malicious input to bash
without already being able to execute arbitrary code?
I'm in favour of enabling security hardening features wherever they don't
actively break things, but please don't mark bugs as release-critical
without a very strong reason.
smcv
(not a bash maintainer)
