Bug 492589

Summary: bash-completion: does not properly quote some characters
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, jeff, kurt, ville.skytta
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-22 18:11:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
updated bash_completion from Debian BTS none

Description Vincent Danen 2009-03-27 15:22:11 UTC 
An old Debian bug report (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=259987) indicates that some bash completions fail to properly quote or escape special characters like ' and &.  Most bash completions are escaped fine, but certain ones (such as aspell) do not.  An example:

$ touch "foo&echo bar"
$ aspell check fo<tab>o&echo bar
[1] 9071
bar
Error: Could not open the file "foo" for reading
$ touch "bar'foo"
$ aspell check bar<tab>'foo
>
$ ls bar<tab>' foo
bar'foo

The Debian report has an updated bash_completion file that corrects this.  The end result is that:

$ aspell check fo<tab>o\&echo \bar
$ aspell check bar<tab>'foo

This does not affect all completions, just certain ones (aspell is one example, cdrecord is another one).
Comment 1 Vincent Danen 2009-03-27 15:25:18 UTC 
Created attachment 337024 [details]
updated bash_completion from Debian BTS

This updated bash_completion file corrects the problems noted with aspell and cdrecord.  There are quite a number of other fixes/changes to the file as well that could fix similar situations with other commands.
Comment 2 Ville Skyttä 2009-03-27 18:32:18 UTC 
We have an even newer upstream snapshot available in Rawhide at the moment.  I'm aware that it indeed contains quite a few fixes (I'm an upstream project member), but even though the snapshots have been good for a while, I've been waiting for a "real" upstream release instead of shipping the snapshot as updates for released distro versions.

Do you think this issue is important enough so that the snapshot should be pushed to released Fedora and EPEL releases already now?  I think the next real upstream release is not too far away.
Comment 3 Vincent Danen 2009-03-27 19:08:56 UTC 
No, I don't think this is so urgent that it can't wait a bit (the original Debian report is from back in 2004).  If the upstream release is months away I might say to do something now, but if it's in a relatively sane timeframe this can wait.  It's pretty low impact.
Comment 4 Fedora Update System 2009-04-13 13:11:48 UTC 
bash-completion-1.0-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/bash-completion-1.0-2.fc10
Comment 5 Fedora Update System 2009-04-13 13:13:10 UTC 
bash-completion-1.0-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/bash-completion-1.0-2.fc9
Comment 6 Fedora Update System 2009-05-02 16:25:57 UTC 
bash-completion-1.0-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-05-02 16:30:29 UTC 
bash-completion-1.0-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Kurt Seifried 2009-05-03 23:07:52 UTC 
Is there a CVE # for this?
Comment 9 Ville Skyttä 2009-05-04 17:23:27 UTC 
(In reply to comment #8)
> Is there a CVE # for this?  

I'm not aware of one.