[Secure-testing-team] Bug#720545: bash: Please consider removing privmode.diff
Laurent Bigonville
bigon at debian.org
Fri Aug 23 10:03:00 UTC 2013
Source: bash
Version: 4.2+dfsg-0.1
Severity: wishlist
Tags: security
Hi,
After reading the following link, I'm wondering it shouldn't be time to
consider removing the privmode.diff patch in Debian.
http://blog.cmpxchg8b.com/2013/08/security-debianisms.html
This patch has been added back in 1999 to fix^Wworkaround an issue with
bsmtpd (#52586). At the time privileges dropping in bash was brand new,
but now 14 years later, we could expect that other software are aware of
this behaviour (hopefully) and that it can safely be removed.
Both bsmtpd and dip (listed at point 7 in the NOTES file as possibly
impacted) are both gone in Debian since 2005.
Note that some manpages (ie. system(3)) have a special note about this
bash behaviour in debian that should be removed too if you are deciding
to drop the patch.
Cheers
Laurent Bigonville
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.10-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the Secure-testing-team
mailing list