oss-sec mailing list archives
CVE Request: bash-completion: dequote command injection
From: Fernando Muñoz <fernando () null-life com>
Date: Wed, 24 Feb 2016 14:08:27 -0500
Marcelo Echeverria and Fernando Muñoz discovered that the dequote
function included in bash-completion allows to execute arbitrary
commands since it uses the eval function to call printf and perform
the actual dequoting. bash-completion is included on Debian, Ubuntu
OpenSuse [1] and probably other distros.
# type dequote
dequote is a function
dequote()
{
eval printf %s "$1" 2> /dev/null
}
# dequote ';id'
uid=0(root) gid=0(root) groups=0(root)
- Issue reported to maintainers on 24/02/2016 [2]
While researching we noted that this security problem was first
identified on 2014 [3] however nobody reported the issue to
bash-completion at that time.
[1] https://lists.gnu.org/archive/html/bug-bash/2014-04/msg00057.html
[2] https://github.com/scop/bash-completion/issues/6
[3] https://lists.gnu.org/archive/html/bug-bash/2014-04/msg00058.html
Current thread:
- CVE Request: bash-completion: dequote command injection Fernando Muñoz (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection Eric Blake (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection Fernando Muñoz (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection Kurt Seifried (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection John Haxby (Feb 25)
- Re: CVE Request: bash-completion: dequote command injection Fernando Muñoz (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection Eric Blake (Feb 24)