Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #14581
| Path | csiph.com!goblin1!goblin.stu.neva.ru!usenet.stanford.edu!not-for-mail |
|---|---|
| From | joey@kitenet.net |
| Newsgroups | gnu.bash.bug |
| Subject | compgen -W evaluation is leading to security holes |
| Date | Fri, 14 Sep 2018 17:52:43 -0400 (EDT) |
| Lines | 42 |
| Approved | bug-bash@gnu.org |
| Message-ID | <mailman.800.1536964325.1284.bug-bash@gnu.org> (permalink) |
| NNTP-Posting-Host | lists.gnu.org |
| X-Trace | usenet.stanford.edu 1536964326 25553 208.118.235.17 (14 Sep 2018 22:32:06 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| To | bug-bash@gnu.org,bash@packages.debian.org |
| Envelope-to | bug-bash@gnu.org |
| X-Question | 42 |
| DKIM-Signature | v=1; a=rsa-sha256; c=simple/simple; d=kitenet.net; s=mail; t=1536961963; bh=6OjXeuNe1RybxOXWkvP8WR2jDKWIitkvA8bZqH17HuM=; h=From:To:Subject:Date:From; b=bo7QpQqgmcnuyQhG2DmtjgnqSj8Gy/xU0wYZy9jC2/SY3XwTdjc6EYILcLfXTO5kH +8pNXIQcFABrd2DXvzBvxznKZVwLRkZMYUEU4DI9Rwq1FtyBUdEztj1PhmpHnRCNXh CNRjvBlzynmY+sqpyiZPQp6B1CfnJ2A64R52DGv0= |
| X-detected-operating-system | by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] |
| X-Received-From | 66.228.36.95 |
| X-Mailman-Approved-At | Fri, 14 Sep 2018 18:32:05 -0400 |
| X-BeenThere | bug-bash@gnu.org |
| X-Mailman-Version | 2.1.21 |
| Precedence | list |
| List-Id | Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org> |
| List-Unsubscribe | <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe> |
| List-Archive | <http://lists.gnu.org/archive/html/bug-bash/> |
| List-Post | <mailto:bug-bash@gnu.org> |
| List-Help | <mailto:bug-bash-request@gnu.org?subject=help> |
| List-Subscribe | <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe> |
| Xref | csiph.com gnu.bash.bug:14581 |
Show key headers only | View raw
Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-pc-linux-gnu' -DCONF_VENDOR='pc' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H -I. -I../. -I.././include -I.././lib -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/bash-JkMlAz/bash-4.4.18=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -Wno-parentheses -Wno-format-security
uname output: Linux darkstar 4.17.0-3-amd64 #1 SMP Debian 4.17.17-1 (2018-08-18) x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu
Bash Version: 4.4
Patch Level: 23
Release Status: release
Description:
CVE-2018-7738 was caused by a bash completion script using compgen -W
with untrusted input. For some reason compgen -W evals its input:
$ compgen -W '`cat /etc/shadow`'
cat: /etc/shadow: Permission denied
Which makes code like this turn out to be a security hole:
DEVS_MPOINTS="$(mount | awk '{print $1, $3}')"
COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) )
Grimm reviewed several other bash completion scripts for similar security
holes, and while they didn't find any, there were several near misses
where the code was probably only not explitable by accident.
https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/
I don't know why compgen -W evals; there may be a good reason. Or it may be
a bug. The documentation for compgen does not seem to mention this
behavior. Even if there's a good reason for it to do that, it's certianly
violating least surprise, because "$foo" is normally safe to use in a shell
script without worrying about the content of the variable being
accidentially evaluated -- unless you're running something like eval
or bash -c that explicitly does so.
Repeat-By:
compgen -W '`cat`'
Back to gnu.bash.bug | Previous | Next | Find similar | Unroll thread
compgen -W evaluation is leading to security holes joey@kitenet.net - 2018-09-14 17:52 -0400
csiph-web