Debian Bug report logs - #778956
dash: doesn't sanitize local variables

version graph

Package: dash; Maintainer for dash is Andrej Shadura <[email protected]>; Source for dash is src:dash (PTS, buildd, popcon).

Reported by: Michael Gilbert <[email protected]>

Date: Sun, 22 Feb 2015 05:15:02 UTC

Severity: wishlist

Tags: upstream, wontfix

Merged with 613556

Found in versions dash/0.5.11+git20210903+057cd650a4ed-8, dash/0.5.5.1-7.4, dash/0.5.7-4

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], Gerrit Pape <[email protected]>:
Bug#778956; Package src:dash. (Sun, 22 Feb 2015 05:15:07 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <[email protected]>:
New Bug report received and forwarded. Copy sent to Gerrit Pape <[email protected]>. (Sun, 22 Feb 2015 05:15:07 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

From: Michael Gilbert <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: dash: doesn't sanitize local variables
Date: Sun, 22 Feb 2015 00:10:16 -0500
package: src:dash
severity: important
tags: security

Dash currently does not sanitize local variables, which differs from
the behavior in bash.

This can lead to issues when developers don't consider the difference
in behavior between dash and bash.  For example, this led to a
security issue in xdg-utils:
http://bugs.debian.org/777722

It would be preferable to match bash's behavior, but that probably
should a change pushed upstream.

Best wishes,
Mike

Information forwarded to [email protected], Gerrit Pape <[email protected]>:
Bug#778956; Package src:dash. (Wed, 18 Nov 2015 23:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Gioele Barabucci <[email protected]>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <[email protected]>. (Wed, 18 Nov 2015 23:15:03 GMT) (full text, mbox, link).

Message #10 received at [email protected] (full text, mbox, reply):

From: Gioele Barabucci <[email protected]>
To: [email protected]
Subject: Re: Bug #778956: dash: doesn't sanitize local variables
Date: Thu, 19 Nov 2015 00:11:37 +0100
Control: reassign -1 dash
Control: tags -1 upstream
Control: found -1 0.5.7-4

Hi,

to make future triaging easier I am copying here the testcase described 
in the original bug, slightly modified.

    $ cat testme.sh
    testme() {
       x=oldvalue
       local x
       echo "<$x>"
    }
    testme

    $ bash testme.sh
    <>
    $ dash testme.sh
    <oldvalue>

Cheers,

-- 
Gioele Barabucci <[email protected]>

Bug reassigned from package 'src:dash' to 'dash'. Request was from Gioele Barabucci <[email protected]> to [email protected]. (Wed, 18 Nov 2015 23:15:03 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Gioele Barabucci <[email protected]> to [email protected]. (Wed, 18 Nov 2015 23:15:04 GMT) (full text, mbox, link).

Marked as found in versions dash/0.5.7-4. Request was from Gioele Barabucci <[email protected]> to [email protected]. (Wed, 18 Nov 2015 23:15:05 GMT) (full text, mbox, link).

Marked as found in versions dash/0.5.5.1-7.4. Request was from Gioele Barabucci <[email protected]> to [email protected]. (Fri, 20 Nov 2015 18:33:03 GMT) (full text, mbox, link).

Added tag(s) wontfix. Request was from Gioele Barabucci <[email protected]> to [email protected]. (Fri, 20 Nov 2015 18:33:04 GMT) (full text, mbox, link).

Merged 613556 778956 Request was from Gioele Barabucci <[email protected]> to [email protected]. (Fri, 20 Nov 2015 18:33:07 GMT) (full text, mbox, link).

Severity set to 'wishlist' from 'important' Request was from Gioele Barabucci <[email protected]> to [email protected]. (Sun, 07 Aug 2022 18:54:03 GMT) (full text, mbox, link).

Removed tag(s) security. Request was from Gioele Barabucci <[email protected]> to [email protected]. (Sun, 07 Aug 2022 18:54:04 GMT) (full text, mbox, link).

Marked as found in versions dash/0.5.11+git20210903+057cd650a4ed-8. Request was from Gioele Barabucci <[email protected]> to [email protected]. (Sun, 07 Aug 2022 18:54:05 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 13:52:08 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.