From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Subject: [PATCH 0/2] Add graft for Bash CVE-2017-5932 Date: Fri, 10 Feb 2017 10:40:56 +0100 Message-ID: <20170210094058.6449-1-ludo@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59802) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cc7hd-0003Vq-AY for guix-devel@gnu.org; Fri, 10 Feb 2017 04:41:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cc7hc-000366-9T for guix-devel@gnu.org; Fri, 10 Feb 2017 04:41:17 -0500 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org Hello! This patch fixes Bash CVE-2017-5932, which is a remote code execution vulnerability triggered by file name completion and disclosed on Wednesday: https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf http://www.openwall.com/lists/oss-security/2017/02/07/9 I'll apply it today if there are no objections. Thanks in advance, Ludo'. Ludovic Courtès (2): gnu: bash: Update patch URL to 4.4. gnu: bash: Add graft for patch #7 [fixes CVE-2017-5932]. gnu/packages/bash.scm | 46 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 44 insertions(+), 2 deletions(-) -- 2.11.0