Your message dated Sun, 17 Apr 2022 11:32:07 +0000
with message-id <e1ng38r-0008je...@fasolo.debian.org>
and subject line Bug#1003012: fixed in bash 5.1-2+deb11u1
has caused the Debian Bug report #1003012,
regarding bash: Corrupted multibyte characters in command substitutions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1003012: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003012
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: bash
Version: 5.1-2+b3
Severity: critical
Justification: breaks unrelated software
Tags: patch upstream l10n
I've reported this bug on bug-bash:
https://lists.gnu.org/archive/html/bug-bash/2022-01/msg00000.html
only to learn that it's known and not fixed for months (it was known
before bullseye was released, so a timely fix would have prevented
the bug ever reaching stable):
https://savannah.gnu.org/patch/?10035
I'm reporting it as critical because it causes silent data
corruption and potentially affects each bash script in the system.
Since the bash developers don't seem to take that seriously, I'm
asking the Debian maintainers to put out a fixed version ASAP to
prevent further damage -- hopefully as a security patch. (I'm no
expert in writing exploits, but I think it's quite possible such a
bug can be exploited. I hope you don't have to wait for an actual
exploit in order to fix the bug.)
Both reports listed above contain a patch. They're different, but
either one will fix the immediate problem.
-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable-debug'), (500, 'proposed-updates-debug'), (500, 'proposed-updates'),
(500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-9-amd64 (SMP w/24 CPU threads)
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages bash depends on:
ii base-files 11.1+deb11u2
ii debianutils 4.11.2
ii libc6 2.31-13+deb11u2
ii libtinfo6 6.2+20201114-2
Versions of packages bash recommends:
ii bash-completion 1:2.11-2
Versions of packages bash suggests:
pn bash-doc <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: bash
Source-Version: 5.1-2+deb11u1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
bash, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1003...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated bash package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 27 Mar 2022 20:40:30 +0200
Source: bash
Architecture: source
Version: 5.1-2+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Matthias Klose <d...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1003012
Changes:
bash (5.1-2+deb11u1) bullseye; urgency=medium
.
* Non-maintainer upload.
* 1-byte buffer overflow read in subst.c read_comsub (Closes: #1003012)
Checksums-Sha1:
33b5c5a6d326565b57da14fb2e8020e12204a247 2458 bash_5.1-2+deb11u1.dsc
1c19b9453c378e18c7531fcf2628bd7f36b1e6a5 90828 bash_5.1-2+deb11u1.debian.tar.xz
803a8191469abd6b4d476577cda479ccefa747b3 6944
bash_5.1-2+deb11u1_source.buildinfo
Checksums-Sha256:
a475836201a8b2937dd83180c86ede2be07ea57ff41d02dfd639c3e08fa94045 2458
bash_5.1-2+deb11u1.dsc
2560b99eb87dd0aa3a15b88c31cc801630cbda93d566a936b643da8dff30627b 90828
bash_5.1-2+deb11u1.debian.tar.xz
c986474f3263f1e246f84eb8e1d39b964d1b8bb0257742584bbed6ae04661719 6944
bash_5.1-2+deb11u1_source.buildinfo
Files:
647560311ca62a9b84806c034d6c4c36 2458 base required bash_5.1-2+deb11u1.dsc
17ee378557d9dc3eeda65936984d502b 90828 base required
bash_5.1-2+deb11u1.debian.tar.xz
35de4ff395f4ec269bfa927c930ec37b 6944 base required
bash_5.1-2+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmJAsdBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EDyMP/0YDLaK0XcWWOKVmUhsK48GDzgid7UR1
MRWqqFOBqnzGlDjyup4OBgJOnB5vmHifwz/AXuoWDBU17kkYAB7Ur1yeIl0jtGCW
MVmAHdv2z5v7lXSSgTAJs6YZLvEPVXCaNxBW5sb9RXI185+HPTTk71dJqLyGss3x
m4Q5Acieb3Gp/YYZcTVxRY1sgFmmDWuDXYkd0+mAEvRgzVrRvSd1jenRFtC72DAC
OlQ65Lv+a/lB/DEbUu8Yt+7AODwqGUte1CqKEk7aNWu4jnUdGS7Z0L629H1Dc+R1
TiWhY8+OrL2d5Z2jgjLfNmr8Iiz75oTEb1flGfaegrpO5hdb+wBYclgQGguxdYL5
N5JsgCFcAvMlhUiVFj9R2rrICE8C1hEEaIfW7/t0KQ838rt9K2SCtQzMHCAyHbYB
Z0dK3oJ15neyAJcDsBt2ubkPVRowF4CHBKZftS4icjrPzSqCCTzsGLqtmyvPR0lP
24UtlXGcZxZkDJ3kXxGB9gZLy9sQiIEJyR5Yrko8U9RqgRoAV4QRwpeBbulpstN0
N+822rWdAdvB20UgY0ud6lBZrc+0iAJmZXxRfGTbubyceEIS2Ah2YHmbbwmidSWU
KTDP7LMUZ04+k/z9yV4vNsr+fZGdTOTEWXapqCfNbkVgbxHpcbKSg03ebJY6wQ/N
L0RC1EqLmh5W
=t9Lx
-----END PGP SIGNATURE-----
--- End Message ---
