Package: bash Version: 5.1-3 Severity: important File: /bin/bash Tags: security
Observed behaviour: $ env - bash -c 'echo $PATH' /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:. $ Expected behaviour: $ env - bash -c 'echo $PATH' /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin $ dash gets this right. Tagging this "important" because having . on the path is a security hazard which we mostly got rid of everywhere. Having . come back in unusual situations where bash makes up the PATH is quite unexpected and surely not desirable. -- System Information: Debian Release: 10.10 APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 5.6.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages bash depends on: ii base-files 10.3+deb10u10 ii debianutils 4.8.6.1 ii libc6 2.28-10 ii libtinfo6 6.1+20181013-2+deb10u2 Versions of packages bash recommends: pn bash-completion <none> Versions of packages bash suggests: pn bash-doc <none> -- no debconf information