COMMAND

    bash

SYSTEMS AFFECTED

    unices

PROBLEM

    Shadow posted  following.   If a  user creates  a directory with a
    command like:

	mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "

    and  someone  cd's  into  said  directory,  either by accident, or
    whatever, then it will cause it to actually execute.  You may also
    do this with a passwd file, echo a user such as

	r00t::0:0:\57root\57bin\57bash

    instead of + +  to the rhosts.   Even this should be  corrected in
    bash-2.0, but with bash version 2.01.1 (supplied with SuSE5.3)  is
    just the opposite. If  one has \w or  \W specified in PS1  to show
    the path, it does NOT happen and if `pwd` is specified instead  of
    \w or \W it DOES happen.

SOLUTION

    This  only  happens  if  PS1  (the  bash prompt) contains \w or \W
    _and_ a prompt is  displayed containing the bogus  directory name.
    This means unattended shell scripts  are safe.   As  a workaround,
    use `pwd` in place  of \w.  The  bug was fixed in  bash-2.0, which
    was released in December, 1996.   If you're still running  1.14.x,
    or earlier versions, you should  upgrade to bash-2.03.  Patch  for
    bash-1.14.7 follows:

    --- parse.y.orig        Thu Apr 22 11:53:01 1999
    +++ parse.y     Thu Apr 22 12:56:34 1999
    @@ -2729,6 +2729,17 @@
     #else
		    getwd (t_string);
     #endif /* EFFICIENT */
    +               if (strcspn(t_string, slashify_in_quotes) < strlen(t_string)) {
    +                   char t_string2[MAXPATHLEN];
    +                   int i, j;
    +                   for (i = 0, j = 0 ; t_string[i] && j < MAXPATHLEN - 2 ; i++) {
    +                       if (member(t_string[i], slashify_in_quotes))
    +                           t_string2[j++] = '\\';
    +                       t_string2[j++] = t_string[i];
    +                   }
    +                   t_string2[j] = '\0';
    +                   strcpy(t_string, t_string2);
    +               }

		    if (c == 'W')
		      {