After looking a bit more into this, it seems the issue in https://lists.gnu.org/archive/html/bug-bash/2017-12/msg00065.html is maybe not a real security concern, since rbash was wrongly configured. Having . in PATH is not good with rbash and that makes the whole thing flawed. So, we could say CVE-2019-9924 is just for the issue in https://lists.gnu.org/archive/html/bug-bash/2017-03/msg00077.html .
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1803441 Title: BASH_CMDS is writable in restricted bash shells (fixed upstream, need to backport patch) Status in bash package in Ubuntu: New Bug description: In 14.04 LTS, the BASH_CMDS variable is writable in rbash. This allows a trivial escape from rbash to run arbitrary shell commands. This issue is fixed upstream: http://git.savannah.gnu.org/cgit/bash.git/tree/CHANGES?h=bash-4.4-testing#n65 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
