Path: csiph.com!goblin1!goblin.stu.neva.ru!usenet.stanford.edu!not-for-mail
From: joey@kitenet.net
Newsgroups: gnu.bash.bug
Subject: compgen -W evaluation is leading to security holes
Date: Fri, 14 Sep 2018 17:52:43 -0400 (EDT)
Lines: 42
Approved: bug-bash@gnu.org
Message-ID: <mailman.800.1536964325.1284.bug-bash@gnu.org>
NNTP-Posting-Host: lists.gnu.org
X-Trace: usenet.stanford.edu 1536964326 25553 208.118.235.17 (14 Sep 2018 22:32:06 GMT)
X-Complaints-To: action@cs.stanford.edu
To: bug-bash@gnu.org,bash@packages.debian.org
Envelope-to: bug-bash@gnu.org
X-Question: 42
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitenet.net; s=mail; t=1536961963; bh=6OjXeuNe1RybxOXWkvP8WR2jDKWIitkvA8bZqH17HuM=; h=From:To:Subject:Date:From; b=bo7QpQqgmcnuyQhG2DmtjgnqSj8Gy/xU0wYZy9jC2/SY3XwTdjc6EYILcLfXTO5kH +8pNXIQcFABrd2DXvzBvxznKZVwLRkZMYUEU4DI9Rwq1FtyBUdEztj1PhmpHnRCNXh CNRjvBlzynmY+sqpyiZPQp6B1CfnJ2A64R52DGv0=
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 66.228.36.95
X-Mailman-Approved-At: Fri, 14 Sep 2018 18:32:05 -0400
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-bash/>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref: csiph.com gnu.bash.bug:14581

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-pc-linux-gnu' -DCONF_VENDOR='pc' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H   -I.  -I../. -I.././include -I.././lib  -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/bash-JkMlAz/bash-4.4.18=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -Wno-parentheses -Wno-format-security
uname output: Linux darkstar 4.17.0-3-amd64 #1 SMP Debian 4.17.17-1 (2018-08-18) x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu

Bash Version: 4.4
Patch Level: 23
Release Status: release

Description:

CVE-2018-7738 was caused by a bash completion script using compgen -W
with untrusted input. For some reason compgen -W evals its input:

	$ compgen -W '`cat /etc/shadow`'
	cat: /etc/shadow: Permission denied

Which makes code like this turn out to be a security hole:

	DEVS_MPOINTS="$(mount | awk '{print $1, $3}')"
	COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) )

Grimm reviewed several other bash completion scripts for similar security
holes, and while they didn't find any, there were several near misses
where the code was probably only not explitable by accident.
https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/

I don't know why compgen -W evals; there may be a good reason. Or it may be
a bug. The documentation for compgen does not seem to mention this
behavior. Even if there's a good reason for it to do that, it's certianly
violating least surprise, because "$foo" is normally safe to use in a shell
script without worrying about the content of the variable being
accidentially evaluated -- unless you're running something like eval 
or bash -c that explicitly does so.

Repeat-By:

	compgen -W '`cat`'