Bug 492589 - bash-completion: does not properly quote some characters
 Summary: bash-completion: does not properly quote some characters
 Status: Product: CLOSED ERRATA Aliases: None Security Response Other vulnerability (Show other bugs) --- unspecified All Linux low Severity low --- Target Release: --- Red Hat Product Security impact=low,source=debian,reported=200... Security Show dependency tree / graph

 Reported: 2009-03-27 11:22 EDT by Vincent Danen 2010-03-22 14:11 EDT (History) 4 users (show) bressers jeff kurt ville.skytta Bug Fix --- 2010-03-22 14:11:55 EDT --- --- --- --- --- ---

 Vincent Danen 2009-03-27 11:22:11 EDT An old Debian bug report (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=259987) indicates that some bash completions fail to properly quote or escape special characters like ' and &. Most bash completions are escaped fine, but certain ones (such as aspell) do not. An example: $touch "foo&echo bar"$ aspell check foo&echo bar [1] 9071 bar Error: Could not open the file "foo" for reading $touch "bar'foo"$ aspell check bar'foo > $ls bar' foo bar'foo The Debian report has an updated bash_completion file that corrects this. The end result is that:$ aspell check foo\&echo \bar \$ aspell check bar'foo This does not affect all completions, just certain ones (aspell is one example, cdrecord is another one). Vincent Danen 2009-03-27 11:25:18 EDT Created attachment 337024 [details] updated bash_completion from Debian BTS This updated bash_completion file corrects the problems noted with aspell and cdrecord. There are quite a number of other fixes/changes to the file as well that could fix similar situations with other commands. Ville Skyttä 2009-03-27 14:32:18 EDT We have an even newer upstream snapshot available in Rawhide at the moment. I'm aware that it indeed contains quite a few fixes (I'm an upstream project member), but even though the snapshots have been good for a while, I've been waiting for a "real" upstream release instead of shipping the snapshot as updates for released distro versions. Do you think this issue is important enough so that the snapshot should be pushed to released Fedora and EPEL releases already now? I think the next real upstream release is not too far away. Vincent Danen 2009-03-27 15:08:56 EDT No, I don't think this is so urgent that it can't wait a bit (the original Debian report is from back in 2004). If the upstream release is months away I might say to do something now, but if it's in a relatively sane timeframe this can wait. It's pretty low impact. Fedora Update System 2009-04-13 09:11:48 EDT bash-completion-1.0-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/bash-completion-1.0-2.fc10 Fedora Update System 2009-04-13 09:13:10 EDT bash-completion-1.0-2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/bash-completion-1.0-2.fc9 Fedora Update System 2009-05-02 12:25:57 EDT bash-completion-1.0-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. Fedora Update System 2009-05-02 12:30:29 EDT bash-completion-1.0-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. Kurt Seifried 2009-05-03 19:07:52 EDT Is there a CVE # for this? Ville Skyttä 2009-05-04 13:23:27 EDT (In reply to comment #8) > Is there a CVE # for this? I'm not aware of one.