[Bug 1797345] [NEW] Evaluation of modulecmd.tcl is not escaped properly in modules/init/...

Thu, 11 Oct 2018 02:51:02 -0700 

Public bug reported:

Even though "modulecmd.tcl" returns shell code that contains asterisks
(*), when it is executed inside the init scripts, the returned code is
generally not protected by quotes.

It can therefore happen, that expressions like "*x*" inside that code
are extended to a folder or filenames in the current working directory,
before the returned code is evaluated by eval.

In the best case this will lead to MODULES_SILENT_SHELL_DEBUG and
related flags not working as intended or to a few error messages and an
a half initialized shell in the worst. The second case is triggered if
the replaced name contains any special shell characters (e.g. "Dropbox
(groupname)" in my case).

I did not have the time to check if that also mean that one can execute
arbitrary code, if you are able to create arbitrary file or folder in
the user home folder.

I was able to trigger this issue using sh or bash when running scripts,
I have not checked if other shells als suffer from this behavior.

The error messages in bash looked like this in my case:

/usr/share/modules/init/bash: eval: line 42: syntax error near unexpected token 
`('
/usr/share/modules/init/bash: eval: line 42: ` Dropbox (groupname) set +x; 
_mlshdbg='x' ;;'
/usr/share/modules/init/bash: line 58: export: _moduleraw: not a function
/usr/share/modules/init/bash: line 60: export: module: not a function

I am running "environment 4.1.1-1" on Ubuntu 18.04.1 LTS.

Putting quotes around the returned value from modulecmd.tcl fixes the
issue, e.g. in the case of bash /usr/share/modules/init/bash, line 36
(or close by), should look like this:

eval "`${_mlre:-}/usr/bin/tclsh /usr/lib/x86_64-linux-gnu/modulecmd.tcl
bash autoinit`"

** Affects: modules (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1797345

Title:
  Evaluation of modulecmd.tcl is not escaped properly  in
  modules/init/...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/modules/+bug/1797345/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to