[Bug 1969856] [NEW] bash --version does not correspond to package name

Casey Boettcher 1969856 at bugs.launchpad.net
Thu Apr 21 22:57:34 UTC 2022 

Public bug reported:

While investigating a potentially compromised system, I ran `bash
--version` and got the following:

`GNU bash, version 4.4.20(1)-release (x86_64-pc-linux-gnu)`

Disquieting, given that I had just installed a package named
`bash_4.4.18-2ubuntu1.3_amd64.deb`. I downloaded the `.deb` archive and,
upon extracting it, checked its hash (SHA256) against the instance on my
path. They were the same
(`15d4469eb3da716fefcc0c395a5b1d1657ad0555ec3ae623e727bb0dfcee19cf`)--indicating,
presumably, that I was running whatever version was in the `.deb` I'd
just downloaded.

Why is the version reported by the binary different from the version
used to denote the package?

** Affects: bash (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

  While investigating a potentially compromised system, I ran `bash
  --version` and got the following:
  
  `GNU bash, version 4.4.20(1)-release (x86_64-pc-linux-gnu)`
  
  Disquieting, given that I had just installed a package named
  `bash_4.4.18-2ubuntu1.3_amd64.deb`. I downloaded the `.deb` archive and,
  upon extracting it, checked its hash (SHA256) against the instance on my
  path. They were the same
- (`15d4469eb3da716fefcc0c395a5b1d1657ad0555ec3ae623e727bb0dfcee19cf`).
+ (`15d4469eb3da716fefcc0c395a5b1d1657ad0555ec3ae623e727bb0dfcee19cf`)--indicating,
+ presumably, that I was running whatever version was in the `.deb` I'd
+ just downloaded.
  
  Why is the version reported by the binary different from the version
  used to denote the package?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1969856

Title:
  bash --version does not correspond to package name

Status in bash package in Ubuntu:
  New

Bug description:
  While investigating a potentially compromised system, I ran `bash
  --version` and got the following:

  `GNU bash, version 4.4.20(1)-release (x86_64-pc-linux-gnu)`

  Disquieting, given that I had just installed a package named
  `bash_4.4.18-2ubuntu1.3_amd64.deb`. I downloaded the `.deb` archive
  and, upon extracting it, checked its hash (SHA256) against the
  instance on my path. They were the same
  (`15d4469eb3da716fefcc0c395a5b1d1657ad0555ec3ae623e727bb0dfcee19cf`)--indicating,
  presumably, that I was running whatever version was in the `.deb` I'd
  just downloaded.

  Why is the version reported by the binary different from the version
  used to denote the package?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1969856/+subscriptions

More information about the foundations-bugs mailing list