util-linux: CVE-2018-7738: code execution in bash-completion for umount

[Salvatore Bonaccorso <carnil () debian org>]

Hi

Björn Bosselmann reported to the Debian bugtracker[0], that the umount
bash-completion as provided by the util-linux source does not escape
mount point paths. A user with privileges to mount filesystems can
embbed shell commands in a mountpoint name and taking advantage of
this flaw to gain privilgeges.

The issue was (indirectly) in [1] while adressing another issue.

MITRE has assigned 'CVE-2018-7738' for this issue.

Regards,
Salvatore

 [0] https://bugs.debian.org/892179
 [1] https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55