Package: yash
Version: 2.36-1
Severity: critical
When doing field-splitting, fields starting with backslashes are
corrupted: starting from the 2nd field, they have their initial
backslashes removed. Only the first field is left intact.
Given a default $IFS:
testfn() {
printf '%s\n' "$@"
}
VAR='\o\ne \t\wo \th\r\ee \fo\ur'
testfn $VAR
Got output:
\o\ne
t\wo
th\r\ee
fo\ur
Expected ouput (produced on every POSIX shell except yash):
\o\ne
\t\wo
\th\r\ee
\fo\ur
Clearly, this sort of data corruption is a critical security problem.
Lack of data integrity is just the beginning. Removal of backslashes
might defeat quoting/escaping of critical data and lead to the execution
of arbitrary commands. For instance, what if some script feeds the
result of improper fieldsplitting to "eval"?
Upstream fixed the bug in SVN after my report:
http://osdn.jp/projects/yash/scm/svn/commits/3298
But the author does not treat it with urgency and has neither announced
the bug nor patched/updated/withdrawn the release version, which clearly
should not be used with a bug like this. So Debian should issue a patch
for its packaged version in the meantime.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
