Overview

File _patchinfo of Package patchinfo.3023

<patchinfo>
  <issue id="868822" tracker="bnc">VUL-1: CVE-2014-2524: bash,readline: temporary file misuse in _rl_tropen</issue>
  <issue id="895475" tracker="bnc">locale de_DE.utf8 has wrong translations</issue>
  <issue id="896776" tracker="bnc">VUL-0: CVE-2014-6271: bash: unexpected code execution with environment variables</issue>
  <issue id="CVE-2014-6271" tracker="cve" />
  <issue id="CVE-2014-2524" tracker="cve" />
  <category>security</category>
  <rating>critical</rating>
  <packager>WernerFink</packager>
  <description>bash was updated to fix a critical security issue, a minor security issue and bugs:

In some circumstances, the shell would evaluate shellcode in environment
variables passed at startup time. This allowed code execution by
local or remote attackers who could pass environment variables to bash
scripts. (CVE-2014-6271)

Fixed a temporary file misuse in _rl_tropen (bnc#868822)
Even if used only by developers to debug readline library do not
open temporary files from public location without O_EXCL  (CVE-2014-2524)

Additional bugfixes:
- Backported corrected german error message for a failing getpwd (bnc#895475)

- Add bash upstream patch 47 to fix a problem where the function
  that shortens pathnames for $PS1 according to the value of
  $PROMPT_DIRTRIM uses memcpy on potentially-overlapping regions
  of memory, when it should use memmove.  The result is garbled
  pathnames in prompt strings.

- Add bash upstream patch 46 to fix a problem introduced by patch
  32 a problem with "$@" and arrays expanding empty positional
  parameters or array elements when using substring expansion,
  pattern substitution, or case modfication.  The empty parameters
  or array elements are removed instead of expanding to empty
  strings ("").

- Add bash-4.2-strcpy.patch from upstream mailing list to patch
  collection tar ball to avoid when using \w in the prompt and
  changing the directory outside of HOME the a strcpy work on
  overlapping memory areas.
</description>
  <summary>bash: security and bugfix update</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places