severity 762915 important tags 762915 +pending thanks Klaus Ethgen <kl...@ethgen.de> writes:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Package: gzip > Version: 1.6-3 > Severity: grave > > Please convert all scripts (zcat, zless, ...) to use /bin/sh as shell > and not /bin/bash. Most of them (as I checked) do not use any special > bash syntax anyway so there is no need to use bash. It looks like recent versions of gzip's configure go to some lengths to confirm the suitability of a shell, and for whatever reason started picking bash. I've adjusted the configure call to prefer /bin/sh, which appears to have solved the implied bash dependency at least on Linux. Fixed in my repo for the next upload. > I made this a grave bug as it is security relevant due the current bash > bugs and against the debian policy to use /bin/sh if possible. FWIW, that's really not an appropriate use of the 'grave' severity. A security hole in bash could be marked as such, but this bug should fall somewhere between 'wishlist' and 'important'. Not that it really matters, since it appears to have been an easy thing to fix. Bdale
pgp_BXE2Ag_k7.pgp
Description: PGP signature