[Bug 1792967] [NEW] CVE-2018-7738 - command execution via unmount's bash-completion

Jeremy Bicha jeremy at bicha.net
Mon Sep 17 15:23:06 UTC 2018 

*** This bug is a security vulnerability ***

Public security bug reported:

"In util-linux before 2.32-rc1, bash-completion/umount allows local
users to gain privileges by embedding shell commands in a mountpoint
name, which is mishandled during a umount command (within Bash) by a
different user, as demonstrated by logging in as root and entering
umount followed by a tab character for autocompletion."

https://security-tracker.debian.org/tracker/CVE-2018-7738

Here is the patch that Debian applied earlier:
https://salsa.debian.org/debian/util-linux/blob/1d518f8b38e81cfcc6e0cd1ecbf9ea72d568e53a/debian/patches/bash-completion-umount-use-findmnt-escape-a-space-in.patch

It's already been fixed in cosmic but needs to be fixed in bionic.

I saw this link on social media this weekend:
https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/

** Affects: util-linux (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: bionic

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-7738

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1792967

Title:
  CVE-2018-7738 - command execution via unmount's bash-completion

Status in util-linux package in Ubuntu:
  New

Bug description:
  "In util-linux before 2.32-rc1, bash-completion/umount allows local
  users to gain privileges by embedding shell commands in a mountpoint
  name, which is mishandled during a umount command (within Bash) by a
  different user, as demonstrated by logging in as root and entering
  umount followed by a tab character for autocompletion."

  https://security-tracker.debian.org/tracker/CVE-2018-7738

  Here is the patch that Debian applied earlier:
  https://salsa.debian.org/debian/util-linux/blob/1d518f8b38e81cfcc6e0cd1ecbf9ea72d568e53a/debian/patches/bash-completion-umount-use-findmnt-escape-a-space-in.patch

  It's already been fixed in cosmic but needs to be fixed in bionic.

  I saw this link on social media this weekend:
  https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1792967/+subscriptions

More information about the foundations-bugs mailing list