Bug 492589 - bash-completion: does not properly quote some characters
Summary: bash-completion: does not properly quote some characters
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-27 15:22 UTC by Vincent Danen
Modified: 2019-09-29 12:29 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-22 18:11:55 UTC


Attachments (Terms of Use)
updated bash_completion from Debian BTS (51.72 KB, application/x-bzip)
2009-03-27 15:25 UTC, Vincent Danen
no flags Details

Description Vincent Danen 2009-03-27 15:22:11 UTC
An old Debian bug report (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=259987) indicates that some bash completions fail to properly quote or escape special characters like ' and &.  Most bash completions are escaped fine, but certain ones (such as aspell) do not.  An example:

$ touch "foo&echo bar"
$ aspell check fo<tab>o&echo bar
[1] 9071
bar
Error: Could not open the file "foo" for reading
$ touch "bar'foo"
$ aspell check bar<tab>'foo
>
$ ls bar<tab>' foo
bar'foo

The Debian report has an updated bash_completion file that corrects this.  The end result is that:

$ aspell check fo<tab>o\&echo \bar
$ aspell check bar<tab>'foo

This does not affect all completions, just certain ones (aspell is one example, cdrecord is another one).

Comment 1 Vincent Danen 2009-03-27 15:25:18 UTC
Created attachment 337024 [details]
updated bash_completion from Debian BTS

This updated bash_completion file corrects the problems noted with aspell and cdrecord.  There are quite a number of other fixes/changes to the file as well that could fix similar situations with other commands.

Comment 2 Ville Skyttä 2009-03-27 18:32:18 UTC
We have an even newer upstream snapshot available in Rawhide at the moment.  I'm aware that it indeed contains quite a few fixes (I'm an upstream project member), but even though the snapshots have been good for a while, I've been waiting for a "real" upstream release instead of shipping the snapshot as updates for released distro versions.

Do you think this issue is important enough so that the snapshot should be pushed to released Fedora and EPEL releases already now?  I think the next real upstream release is not too far away.

Comment 3 Vincent Danen 2009-03-27 19:08:56 UTC
No, I don't think this is so urgent that it can't wait a bit (the original Debian report is from back in 2004).  If the upstream release is months away I might say to do something now, but if it's in a relatively sane timeframe this can wait.  It's pretty low impact.

Comment 4 Fedora Update System 2009-04-13 13:11:48 UTC
bash-completion-1.0-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/bash-completion-1.0-2.fc10

Comment 5 Fedora Update System 2009-04-13 13:13:10 UTC
bash-completion-1.0-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/bash-completion-1.0-2.fc9

Comment 6 Fedora Update System 2009-05-02 16:25:57 UTC
bash-completion-1.0-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2009-05-02 16:30:29 UTC
bash-completion-1.0-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Kurt Seifried 2009-05-03 23:07:52 UTC
Is there a CVE # for this?

Comment 9 Ville Skyttä 2009-05-04 17:23:27 UTC
(In reply to comment #8)
> Is there a CVE # for this?  

I'm not aware of one.


Note You need to log in before you can comment on or make changes to this bug.