Package: bash Version: 5.1-2+b3 Severity: critical Justification: breaks unrelated software Tags: patch upstream l10n
I've reported this bug on bug-bash: https://lists.gnu.org/archive/html/bug-bash/2022-01/msg00000.html only to learn that it's known and not fixed for months (it was known before bullseye was released, so a timely fix would have prevented the bug ever reaching stable): https://savannah.gnu.org/patch/?10035 I'm reporting it as critical because it causes silent data corruption and potentially affects each bash script in the system. Since the bash developers don't seem to take that seriously, I'm asking the Debian maintainers to put out a fixed version ASAP to prevent further damage -- hopefully as a security patch. (I'm no expert in writing exploits, but I think it's quite possible such a bug can be exploited. I hope you don't have to wait for an actual exploit in order to fix the bug.) Both reports listed above contain a patch. They're different, but either one will fix the immediate problem. -- System Information: Debian Release: 11.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-9-amd64 (SMP w/24 CPU threads) Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages bash depends on: ii base-files 11.1+deb11u2 ii debianutils 4.11.2 ii libc6 2.31-13+deb11u2 ii libtinfo6 6.2+20201114-2 Versions of packages bash recommends: ii bash-completion 1:2.11-2 Versions of packages bash suggests: pn bash-doc <none> -- no debconf information