Package: release.debian.org Severity: normal Tags: wheezy User: release.debian....@packages.debian.org Usertags: pu
Hi, I would like to update at in Debian Wheezy: bash can now export variables of the form BASH_FUNC_*() which at cannot handle as they cannot be set via assignment in the shell... With the change below, at will just skip variables that would just give an error in the generated shell script later. at 3.1.16-1 which I uploaded to unstable yesterday has the same change. Ansgar
diff -u at-3.1.13/debian/changelog at-3.1.13/debian/changelog --- at-3.1.13/debian/changelog +++ at-3.1.13/debian/changelog @@ -1,3 +1,11 @@ +at (3.1.13-2+deb7u1) wheezy; urgency=medium + + * at: Only retain variables whose name consists of alphanumerics and + underscores. This prevents jobs from failing in case bash exports + functions to the environment with the changes from DSA-3035. + + -- Ansgar Burchardt <ans...@debian.org> Tue, 30 Sep 2014 20:58:23 +0200 + at (3.1.13-2) unstable; urgency=low * Use debhelper compat level 9 (to enable hardening by default). only in patch2: unchanged: --- at-3.1.13.orig/at.c +++ at-3.1.13/at.c @@ -390,6 +390,22 @@ int export = 1; char *eqp; + /* Only accept alphanumerics and underscore in variable names. + * Also require the name to not start with a digit. + * Some shells don't like other variable names. + */ + { + char *p = *atenv; + if (isdigit(*p)) + export = 0; + for (; *p != '=' && *p != '\0'; ++p) { + if (!isalnum(*p) && *p != '_') { + export = 0; + break; + } + } + } + eqp = strchr(*atenv, '='); if (ap == NULL) eqp = *atenv;