oss-sec mailing list archives
Re: CVE Request: bash-completion: dequote command injection
From: Eric Blake <eblake () redhat com>
Date: Wed, 24 Feb 2016 13:58:57 -0700
On 02/24/2016 12:08 PM, Fernando Muñoz wrote:
Marcelo Echeverria and Fernando Muñoz discovered that the dequote function included in bash-completion allows to execute arbitrary commands since it uses the eval function to call printf and perform the actual dequoting. bash-completion is included on Debian, Ubuntu OpenSuse [1] and probably other distros.
But what is the privilege escalation? This is no different than incorrectly using 'eval' in a shell script - you may have buggy code, and have an easy-to-trigger bug, but if you can't escalate privileges, how it is a CVE? -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request: bash-completion: dequote command injection Fernando Muñoz (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection Eric Blake (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection Fernando Muñoz (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection Kurt Seifried (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection John Haxby (Feb 25)
- Re: CVE Request: bash-completion: dequote command injection Fernando Muñoz (Feb 24)
- Re: CVE Request: bash-completion: dequote command injection Eric Blake (Feb 24)