CVE Request - Code execution vulnerability in GNU/bash v4.4 autocompletion

[Jens Heyens <jens.heyens@cispa.saarland>]

Hi,

we would like to request a CVE ID for a vulnerability in GNU/bash
version 4.4, discovered on 2017-01-17. The issue has been fixed.
A detailed description can be found in our report (available at
https://github.com/jheyens/bash_completion_vuln | direct link
https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf
).

In short: We can create a file with a specially crafted file name. A
user trying to use bash' path completion feature ('TAB-completion') on
this file will execute shell code without any additional actions taken.

The issue has been reported on 2017-01-17, a fix has been added to the
git's master branch on 2017-01-20 by GNU/bash maintainer Chet Ramey
(Commit ID 4f747edc625815f449048579f6e65869914dd715, available at
http://git.savannah.gnu.org/cgit/bash.git/commit/?id=4f747edc625815f449048579f6e65869914dd715
).


Sincerely,

Jens Heyens
CISPA

Additional information as requested on the disclosure wiki:

1. Email address of requester (so we can contact them)
        jens.heyens@cispa.saarland,  stock () cs uni-saarland de
2. Software name and optionally vendor name
        GNU/bash
3. At least one of (to determine is this a security issue):
  -  Type of vulnerability
        arbitrary code execution
  -  Exploitation vectors
        local, drive-by downloads, anything able to name files anywhere
  -  Attack outcome
        system compromised?
4. For Open Source at least one of:
  -  Link to vulnerable source code or fix
        Fix:
http://git.savannah.gnu.org/cgit/bash.git/commit/?id=4f747edc625815f449048579f6e65869914dd715
  -  Link to source code change log
        N/A
  -  Link to security advisory
        Original report:
https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf
  -  Link to bug entry
        in GNU/Savannah, but it's a non-public issue
  -  Request comes from project member (a.k.a. “trust me, it's a problem”)
        No.
5. Affected version(s) (3.2.4, 3.x, current version, all current
releases, something)
        >4.3, <4.4-patch7
6. Whether or not this has been previously requested (i.e. on OSS-Sec or
to cve-assign)
        Yes, but we did not receive any information at all for three weeks.
Full story (and the advice to write to this list) here:
https://www.reddit.com/r/security/comments/5slvtu/how_do_i_request_a_cve_id_for_a_gnubash/
7. Is this an Open Source or commercial software request
        Yes, GPLed
8. Is this an embargoed issue (if yes and commercial: send to
cve-assign, if yes and open source: send to distros@?)
        I wouldn't think so
9. If multiple issues are listed please list affected versions for each
issue and/or who reported them (so we can determine CVE split/merge).
        No

Attachment: signature.asc
Description: OpenPGP digital signature