← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #80816

[Bug 1459201] [NEW] privmode patch disables setuid protection

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Public security bug reported:

Debian carries a patch called "privmod.diff" that prevents bash from
dropping privileges when setuid if not called "sh".

This patch should be removed as it disables a bash security feature.

** Affects: bash (Ubuntu)
     Importance: Undecided
     Assignee: Marc Deslauriers (mdeslaur)
         Status: Triaged

** Affects: bash (Debian)
     Importance: Unknown
         Status: Unknown

** Bug watch added: Debian Bug tracker #720545
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720545

** Also affects: bash (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720545
   Importance: Unknown
       Status: Unknown

** Changed in: bash (Ubuntu)
       Status: New => Triaged

** Changed in: bash (Ubuntu)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1459201

Title:
  privmode patch disables setuid protection

Status in bash package in Ubuntu:
  Triaged
Status in bash package in Debian:
  Unknown

Bug description:
  Debian carries a patch called "privmod.diff" that prevents bash from
  dropping privileges when setuid if not called "sh".

  This patch should be removed as it disables a bash security feature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1459201/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next