From ${URL} : A detailed description can be found in our report (available at https://github.com/jheyens/bash_completion_vuln | direct link https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf ). In short: We can create a file with a specially crafted file name. A user trying to use bash' path completion feature ('TAB-completion') on this file will execute shell code without any additional actions taken. The issue has been reported on 2017-01-17, a fix has been added to the git's master branch on 2017-01-20 by GNU/bash maintainer Chet Ramey (Commit ID 4f747edc625815f449048579f6e65869914dd715, available at http://git.savannah.gnu.org/cgit/bash.git/commit/?id=4f747edc625815f449048579f6e65869914dd715 ). @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
this fix is already in the tree -- it was the bash44-007 patch. the bug only affects the bash-4.4 series as the code in question is new to it. bash-4.4 isn't yet stable either, so doesn't impact those systems.
Affected version was never stable according to comment #1. Cleanup PR: https://github.com/gentoo/gentoo/pull/4953
https://github.com/gentoo/gentoo/commit/cdc25db25fb17985242fb8bced2ba1f93d11d827