Ubuntu
util-linux package

CVE-2018-7738 - command execution via unmount's bash-completion

Bug #1792967 reported by Jeremy Bícha
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
util-linux (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion."

https://security-tracker.debian.org/tracker/CVE-2018-7738

Here is the patch that Debian applied earlier:
https://salsa.debian.org/debian/util-linux/blob/1d518f8b38e81cfcc6e0cd1ecbf9ea72d568e53a/debian/patches/bash-completion-umount-use-findmnt-escape-a-space-in.patch

It's already been fixed in cosmic but needs to be fixed in bionic.

I saw this link on social media this weekend:
https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/

Tags: bionic

CVE References

Alex Murray (alexmurray)
Changed in util-linux (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.