From ${URL} : Shells running as root inherited PS4 from the environment, allowing PS4 expansion performing command substitution. Local attacker could gain arbitrary code execution via bogus setuid binaries using system()/popen() by specially crafting SHELLOPTS+PS4 environment variables. Public announcement: http://seclists.org/oss-sec/2016/q3/617 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
commit 49dcef88c9b9d94334ae251a8f658739a19ccf3c Author: Lars Wendler <polynomial-c@gentoo.org> Date: Tue Sep 27 14:17:05 2016 package.mask: Unmasked bash-4.4/readline-7.0 for wider testing. Since there seems to be no backported patch available I've unmasked bash-4.4 Let's wait a couple of days for stabilization call. I have the feeling that soon there will be some upstream patches available for bash-4.4 as well.
commit 8a8e224a29a12f871d6adf7c53d85fd8e9e5b69f Author: Lars Wendler <polynomial-c@gentoo.org> Date: Fri Oct 7 10:56:18 2016 app-shells/bash: Bump to version 4.3_p48 Package-Manager: portage-2.3.1 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> Arches please test and mark stable =app-shells/bash-4.3_p48 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
amd64 stable
x86 stable
Stable for HPPA PPC64.
Stable on alpha
arm stable
done the rest now
Added to existing GLSA.
This issue was resolved and addressed in GLSA 201701-02 at https://security.gentoo.org/glsa/201701-02 by GLSA coordinator Thomas Deutschmann (whissi).