Bug 492589 - bash-completion: does not properly quote some characters
bash-completion: does not properly quote some characters
 Keywords: Security CLOSED ERRATA None Security Response Other vulnerability --- unspecified All Linux low low --- Red Hat Product Security depends on / blocked

 Reported: 2009-03-27 15:22 UTC by Vincent Danen 2019-09-29 12:29 UTC (History) 4 users (show) bressers jeff kurt ville.skytta Bug Fix 2010-03-22 18:11:55 UTC

 Vincent Danen 2009-03-27 15:22:11 UTC An old Debian bug report (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=259987) indicates that some bash completions fail to properly quote or escape special characters like ' and &. Most bash completions are escaped fine, but certain ones (such as aspell) do not. An example: $touch "foo&echo bar"$ aspell check foo&echo bar [1] 9071 bar Error: Could not open the file "foo" for reading $touch "bar'foo"$ aspell check bar'foo > $ls bar' foo bar'foo The Debian report has an updated bash_completion file that corrects this. The end result is that:$ aspell check foo\&echo \bar \$ aspell check bar'foo This does not affect all completions, just certain ones (aspell is one example, cdrecord is another one).  Vincent Danen 2009-03-27 15:25:18 UTC Created attachment 337024 [details] updated bash_completion from Debian BTS This updated bash_completion file corrects the problems noted with aspell and cdrecord. There are quite a number of other fixes/changes to the file as well that could fix similar situations with other commands.  Ville Skyttä 2009-03-27 18:32:18 UTC We have an even newer upstream snapshot available in Rawhide at the moment. I'm aware that it indeed contains quite a few fixes (I'm an upstream project member), but even though the snapshots have been good for a while, I've been waiting for a "real" upstream release instead of shipping the snapshot as updates for released distro versions. Do you think this issue is important enough so that the snapshot should be pushed to released Fedora and EPEL releases already now? I think the next real upstream release is not too far away.  Vincent Danen 2009-03-27 19:08:56 UTC No, I don't think this is so urgent that it can't wait a bit (the original Debian report is from back in 2004). If the upstream release is months away I might say to do something now, but if it's in a relatively sane timeframe this can wait. It's pretty low impact.  Fedora Update System 2009-04-13 13:11:48 UTC bash-completion-1.0-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/bash-completion-1.0-2.fc10  Fedora Update System 2009-04-13 13:13:10 UTC bash-completion-1.0-2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/bash-completion-1.0-2.fc9  Fedora Update System 2009-05-02 16:25:57 UTC bash-completion-1.0-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.  Fedora Update System 2009-05-02 16:30:29 UTC bash-completion-1.0-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.  Kurt Seifried 2009-05-03 23:07:52 UTC Is there a CVE # for this?  Ville Skyttä 2009-05-04 17:23:27 UTC (In reply to comment #8) > Is there a CVE # for this? I'm not aware of one.