touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #118437
[Bug 1516300] Re: dash command variable assignments remain in the shell after command execution completed
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dash in Ubuntu.
https://bugs.launchpad.net/bugs/1516300
Title:
dash command variable assignments remain in the shell after command
execution completed
Status in dash package in Ubuntu:
New
Bug description:
If a shell function is invoked with variable assignments preceding it,
the assignments remain in the shell after the command execution
completed. This is unexpected behavior and might be a potential
security issue, since it allows to modify the user environment in a
subtle unexpected way. For example, consider the following commands
that shouldn't change the SHELL value outside function foo, yet it
does in Ubuntu 14.04
echo $SHELL # check our default shell, gives /bin/bash
foo () { printenv | grep SHELL; } # no side effects, can be anything
SHELL=/bin/sh foo
echo $SHELL # now gives /bin/sh, but expected to give /bin/bash as
before
I checked bash and zsh, none of them have this problem. sh in freebsd
and debian handle this case correctly. So far, it seems the issue is
limited to Ubuntu dash.
lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
apt-cache policy dash
dash:
Installed: 0.5.7-4ubuntu1
Candidate: 0.5.7-4ubuntu1
Version table:
*** 0.5.7-4ubuntu1 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dash/+bug/1516300/+subscriptions