On 02/10/14 17:30, shawn wilson wrote: > I'm pretty sure dash never got a rewrite? So this just happened to be > a "feature" that got ripped out of dash.
You seem to be under the impression that dash is some sort of fork or derivative of bash. It isn't; I don't think they even have a common ancestor. POSIX sh is a specification for how Unix-like shells should behave, based on the language interpreted by the 1977 Bourne shell (sh). Debian Policy requires /bin/sh to be a POSIX sh with at least a couple of specified additional features ("local" is one of those features), and optionally, other features beyond those. The default implementation was originally bash, and was changed to dash in recent releases. dash is an implementation of POSIX sh, derived from the Almquist shell (ash) taken from NetBSD. As far as I know, ash was an independent implementation (i.e. rewrite) of a POSIX sh. It has a small number of non-POSIX features, including those required by Debian Policy. bash is GNU's implementation (i.e. another rewrite) of the Bourne shell, hence its name "Bourne Again SHell". It has lots of non-POSIX features, making it a considerably better interactive shell than dash, and more capable for scripting. One of its non-POSIX features is the ability to export functions, which is the feature being abused in this vulnerability. > I'm not sure why it got ripped out I don't think dash ever had this feature to begin with, so there was nothing to rip out. S -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/542d8629.8000...@debian.org