A security issue fixed upstream in dash was discussed in this thread: https://www.openwall.com/lists/oss-security/2020/11/11/3 with a link to the upstream fix in the final message: https://www.openwall.com/lists/oss-security/2020/11/12/1 SUSE has issued an advisory for this today (November 23): https://lists.suse.com/pipermail/sle-security-updates/2020-November/007839.html
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Keywords: (none) => TriagedAssignee: bugsquad => shlomif
openSUSE has issued an advisory for this on November 27: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VUGWSD4FZGKMRRORAAV75B5DGC4PRY5F/
Assignee: shlomif => pkg-bugs
Status comment: (none) => Patch available from upstream and openSUSE
Suggested advisory: ======================== The updated packages fix a security vulnerability: Code was executed even if noexec ("-n") was specified. (bdo#58288 / bsc#1178978) References: https://www.openwall.com/lists/oss-security/2020/11/11/3 https://www.openwall.com/lists/oss-security/2020/11/12/1 https://lists.suse.com/pipermail/sle-security-updates/2020-November/007839.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VUGWSD4FZGKMRRORAAV75B5DGC4PRY5F/ ======================== Updated packages in core/updates_testing: ======================== dash-0.5.10.2-1.1.mga7 dash-static-0.5.10.2-1.1.mga7 from SRPM: dash-0.5.10.2-1.1.mga7.src.rpm
CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDStatus comment: Patch available from upstream and openSUSE => (none)Assignee: pkg-bugs => qa-bugsKeywords: Triaged => (none)
mga7, x64 With the two packages installed from Core Release: $ dash -n -c 'echo this should not be executed' this should not be executed Updated both packages. $ dash -n -c 'echo this should not be executed' $
CC: (none) => tarazed25
$ chsh Changing shell for lcl. New shell [/bin/bash] /bin/dash chsh: "/bin/dash" is not listed in /etc/shells. Use chsh -l to see list. $ chsh -l /bin/bash /bin/sh /bin/zsh /usr/bin/dash /usr/bin/fish $ chsh Changing shell for lcl. New shell [/bin/bash] /usr/bin/dash Password: Shell changed. Logged out and in. Command prompt changed to a bare dollar sign. No aliases and no default .dashrc. /etc/.profile can be used for general login setups but a local .profile does not seem to work. Tried editing .profile using vi to set the environment PATH variable but 'source' did not work on it and './.profile' seemed to do nothing. $ PATH=${PATH}:/home/lcl/bin That worked. In another terminal: Tried altering .profile to show the PATH $ vi .profile $ cat .profile _byobu_sourced=1 . /usr/bin/byobu-launch 2>/dev/null || true PATH=${PATH}:/home/lcl/bin echo $PATH $ ./.profile $ $ echo $PATH /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:/home/lcl/bin In another terminal: $ dash -c export PATH=${PATH}:/home/lcl/bin $ echo $PATH /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin The Mate desktop functions without problems but shell commands need some research on the part of the user. In a terminal the up/down arrows show control characters. The command line works otherwise. Letting this go.
Whiteboard: (none) => MGA7-64-OK
Validating, advisory and packages in Comment 3. Advisory pushed to SVN.
CC: (none) => ouaurelien, sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0006.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED