Bug 492589 - bash-completion: does not properly quote some characters
bash-completion: does not properly quote some characters
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2009-03-27 11:22 EDT by Vincent Danen
Modified: 2010-03-22 14:11 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-03-22 14:11:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
updated bash_completion from Debian BTS (51.72 KB, application/x-bzip)
2009-03-27 11:25 EDT, Vincent Danen
no flags Details

  None (edit)
Description Vincent Danen 2009-03-27 11:22:11 EDT
An old Debian bug report (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=259987) indicates that some bash completions fail to properly quote or escape special characters like ' and &.  Most bash completions are escaped fine, but certain ones (such as aspell) do not.  An example:

$ touch "foo&echo bar"
$ aspell check fo<tab>o&echo bar
[1] 9071
Error: Could not open the file "foo" for reading
$ touch "bar'foo"
$ aspell check bar<tab>'foo
$ ls bar<tab>' foo

The Debian report has an updated bash_completion file that corrects this.  The end result is that:

$ aspell check fo<tab>o\&echo \bar
$ aspell check bar<tab>'foo

This does not affect all completions, just certain ones (aspell is one example, cdrecord is another one).
Comment 1 Vincent Danen 2009-03-27 11:25:18 EDT
Created attachment 337024 [details]
updated bash_completion from Debian BTS

This updated bash_completion file corrects the problems noted with aspell and cdrecord.  There are quite a number of other fixes/changes to the file as well that could fix similar situations with other commands.
Comment 2 Ville Skyttä 2009-03-27 14:32:18 EDT
We have an even newer upstream snapshot available in Rawhide at the moment.  I'm aware that it indeed contains quite a few fixes (I'm an upstream project member), but even though the snapshots have been good for a while, I've been waiting for a "real" upstream release instead of shipping the snapshot as updates for released distro versions.

Do you think this issue is important enough so that the snapshot should be pushed to released Fedora and EPEL releases already now?  I think the next real upstream release is not too far away.
Comment 3 Vincent Danen 2009-03-27 15:08:56 EDT
No, I don't think this is so urgent that it can't wait a bit (the original Debian report is from back in 2004).  If the upstream release is months away I might say to do something now, but if it's in a relatively sane timeframe this can wait.  It's pretty low impact.
Comment 4 Fedora Update System 2009-04-13 09:11:48 EDT
bash-completion-1.0-2.fc10 has been submitted as an update for Fedora 10.
Comment 5 Fedora Update System 2009-04-13 09:13:10 EDT
bash-completion-1.0-2.fc9 has been submitted as an update for Fedora 9.
Comment 6 Fedora Update System 2009-05-02 12:25:57 EDT
bash-completion-1.0-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-05-02 12:30:29 EDT
bash-completion-1.0-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Kurt Seifried 2009-05-03 19:07:52 EDT
Is there a CVE # for this?
Comment 9 Ville Skyttä 2009-05-04 13:23:27 EDT
(In reply to comment #8)
> Is there a CVE # for this?  

I'm not aware of one.

Note You need to log in before you can comment on or make changes to this bug.