oss-sec mailing list archives
CVE Request: bash-completion: dequote command injection
From: Fernando Muñoz <fernando () null-life com>
Date: Wed, 24 Feb 2016 14:08:27 -0500
Marcelo Echeverria and Fernando Muñoz discovered that the dequote function included in bash-completion allows to execute arbitrary commands since it uses the eval function to call printf and perform the actual dequoting. bash-completion is included on Debian, Ubuntu OpenSuse [1] and probably other distros. # type dequote dequote is a function dequote() { eval printf %s "$1" 2> /dev/null } # dequote ';id' uid=0(root) gid=0(root) groups=0(root) - Issue reported to maintainers on 24/02/2016 [2] While researching we noted that this security problem was first identified on 2014 [3] however nobody reported the issue to bash-completion at that time. [1] https://lists.gnu.org/archive/html/bug-bash/2014-04/msg00057.html [2] https://github.com/scop/bash-completion/issues/6 [3] https://lists.gnu.org/archive/html/bug-bash/2014-04/msg00058.html
Current thread:
- CVE Request: bash-completion: dequote command injection Fernando Muñoz (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection Eric Blake (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection Fernando Muñoz (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection Kurt Seifried (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection John Haxby (Feb 25)
- Re: CVE Request: bash-completion: dequote command injection Fernando Muñoz (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection Eric Blake (Feb 24)