<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><span class="vcard"><a class="email" href="mailto:rdieter@math.unl.edu" title="Rex Dieter <rdieter@math.unl.edu>"> <span class="fn">Rex Dieter</span></a>
</span> changed
              <a class="bz_bug_link 
          bz_status_RESOLVED  bz_closed"
   title="RESOLVED INVALID - another command injection vulnerability"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=89129">bug 89129</a>
          <br>
             <table border="1" cellspacing="0" cellpadding="8">
          <tr>
            <th>What</th>
            <th>Removed</th>
            <th>Added</th>
          </tr>

         <tr>
           <td style="text-align:right;">Status</td>
           <td>NEW
           </td>
           <td>RESOLVED
           </td>
         </tr>

         <tr>
           <td style="text-align:right;">Resolution</td>
           <td>---
           </td>
           <td>INVALID
           </td>
         </tr></table>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_RESOLVED  bz_closed"
   title="RESOLVED INVALID - another command injection vulnerability"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=89129#c1">Comment # 1</a>
              on <a class="bz_bug_link 
          bz_status_RESOLVED  bz_closed"
   title="RESOLVED INVALID - another command injection vulnerability"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=89129">bug 89129</a>
              from <span class="vcard"><a class="email" href="mailto:rdieter@math.unl.edu" title="Rex Dieter <rdieter@math.unl.edu>"> <span class="fn">Rex Dieter</span></a>
</span></b>
        <pre>The code has diverged a bit in git so that patch no longer applies.  

But good news:  the current code should be safe(r), since all uses of 
local $var
are initialized to avoid the problem, in particular, the code closest to what
this patch touches now contains:


search_desktop_file()
{
    local default="$1"
    local dir="$2"
    local arg="$3"

    local file=""
    # look for both vendor-app.desktop, vendor/app.desktop
...


Lastly, with test case given in debian report, I cannot reproduce in fedora 20
at least.

$ cat testme
testme() {
   x=backfromthedead
   local x
   echo $x
}

$ bash testme

$ dash testme

$ rpm -q bash dash
bash-4.2.53-2.fc20.i686
dash-0.5.8-1.fc20.i686</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>