Dash may execute code when in -n (syntax-check only mode). Patch upstream, not yet in a release: https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?id=29d6f2148f10213de4e904d515e792d2cf8c968e
New patch releases have been made but this isn't included. :(
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=699457813484ed203c50f1bbc404b16676a57c81 commit 699457813484ed203c50f1bbc404b16676a57c81 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2021-01-09 14:50:36 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2021-01-09 14:56:33 +0000 app-shells/dash: Security revbump to fix -n calls Bug: https://bugs.gentoo.org/754267 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> app-shells/dash/dash-0.5.11.3-r1.ebuild | 61 ++++++++++++++++++++++ .../dash-0.5.11.3-check_nflag_in_evaltree.patch | 46 ++++++++++++++++ 2 files changed, 107 insertions(+)
x86 done
sparc done
ppc64 done
ppc done
amd64 done
arm64 done
arm done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=512a302d75d91952fc441e5d3ac20fe000cbc6d9 commit 512a302d75d91952fc441e5d3ac20fe000cbc6d9 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2021-01-11 19:37:44 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2021-01-11 19:37:44 +0000 app-shells/dash: Security cleanup Bug: https://bugs.gentoo.org/754267 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> app-shells/dash/Manifest | 1 - app-shells/dash/dash-0.5.11.2.ebuild | 57 ------------------------------------ app-shells/dash/dash-0.5.11.3.ebuild | 57 ------------------------------------ 3 files changed, 115 deletions(-)
Not CVE worthy. Attack would require that attacker is able to provide arbitrary arguments to dash. But if an attacker is already able to perform command injections like `dash -n -c '<malicious command>'`, this is a different story and unrelated to -n. Repository is clean, all done!