oss-sec mailing list archives
Re: CVE Request: bash-completion: dequote command injection
From: Fernando Muñoz <fernando () null-life com>
Date: Wed, 24 Feb 2016 16:56:09 -0500
Hello Eric, I never mentioned privilege escalation. This issue how ever could appear when a different application uses user input and calls "dequote" function that not only dequotes, but also executes it as a command. If mitre doesn't consider it CVE worth, that's OK! Regards. On Wed, Feb 24, 2016 at 3:58 PM, Eric Blake <eblake () redhat com> wrote:
On 02/24/2016 12:08 PM, Fernando Muñoz wrote:Marcelo Echeverria and Fernando Muñoz discovered that the dequote function included in bash-completion allows to execute arbitrary commands since it uses the eval function to call printf and perform the actual dequoting. bash-completion is included on Debian, Ubuntu OpenSuse [1] and probably other distros.But what is the privilege escalation? This is no different than incorrectly using 'eval' in a shell script - you may have buggy code, and have an easy-to-trigger bug, but if you can't escalate privileges, how it is a CVE? -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Current thread:
- CVE Request: bash-completion: dequote command injection Fernando Muñoz (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection Eric Blake (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection Fernando Muñoz (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection Kurt Seifried (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection John Haxby (Feb 25)
- Re: CVE Request: bash-completion: dequote command injection Fernando Muñoz (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection Eric Blake (Feb 24)