oss-security - CVE Request: bash-completion: dequote command injection

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Wed, 24 Feb 2016 14:08:27 -0500
From: Fernando Muñoz <fernando@...l-life.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: bash-completion: dequote command injection

Marcelo Echeverria and Fernando Muñoz discovered that the dequote
function included in bash-completion allows to execute arbitrary
commands since it uses the eval function to call printf and perform
the actual dequoting. bash-completion is included on Debian, Ubuntu
OpenSuse [1] and probably other distros.

# type dequote
dequote is a function
dequote()
{
    eval printf %s "$1" 2> /dev/null
}

# dequote ';id'
uid=0(root) gid=0(root) groups=0(root)

- Issue reported to maintainers on 24/02/2016 [2]

While researching we noted that this security problem was first
identified on 2014 [3] however nobody reported the issue to
bash-completion at that time.

[1] https://lists.gnu.org/archive/html/bug-bash/2014-04/msg00057.html
[2] https://github.com/scop/bash-completion/issues/6
[3] https://lists.gnu.org/archive/html/bug-bash/2014-04/msg00058.html

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.