754267 – <app-shells/dash-0.5.11.3-r1: May unexpectedly execute code in -n mode

Bug 754267 - <app-shells/dash-0.5.11.3-r1: May unexpectedly execute code in -n mode

Summary: <app-shells/dash-0.5.11.3-r1: May unexpectedly execute code in -n mode

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	C3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2020-11-13 14:48 UTC by Sam James
Modified:	2021-05-25 19:17 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	app-shells/dash-0.5.11.3-r1
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-11-13 14:48:58 UTC

Dash may execute code when in -n (syntax-check only mode).

Patch upstream, not yet in a release: https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?id=29d6f2148f10213de4e904d515e792d2cf8c968e

Comment 1 Sam James archtester

2021-01-09 12:46:27 UTC

New patch releases have been made but this isn't included. :(

Comment 2 Larry the Git Cow gentoo-dev

2021-01-09 14:56:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=699457813484ed203c50f1bbc404b16676a57c81

commit 699457813484ed203c50f1bbc404b16676a57c81
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-01-09 14:50:36 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-01-09 14:56:33 +0000

    app-shells/dash: Security revbump to fix -n calls
    
    Bug: https://bugs.gentoo.org/754267
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-shells/dash/dash-0.5.11.3-r1.ebuild            | 61 ++++++++++++++++++++++
 .../dash-0.5.11.3-check_nflag_in_evaltree.patch    | 46 ++++++++++++++++
 2 files changed, 107 insertions(+)

Comment 3 Sam James archtester

2021-01-10 09:28:28 UTC

x86 done

Comment 4 Sam James archtester

2021-01-10 09:35:02 UTC

sparc done

Comment 5 Sam James archtester

2021-01-10 12:42:12 UTC

ppc64 done

Comment 6 Sam James archtester

2021-01-10 12:42:52 UTC

ppc done

Comment 7 Sam James archtester

2021-01-10 21:58:21 UTC

amd64 done

Comment 8 Sam James archtester

2021-01-11 19:13:14 UTC

arm64 done

Comment 9 Sam James archtester

2021-01-11 19:13:56 UTC

arm done

all arches done

Comment 10 John Helmert III archtester

2021-01-11 19:33:28 UTC

Please cleanup.

Comment 11 Larry the Git Cow gentoo-dev

2021-01-11 19:37:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=512a302d75d91952fc441e5d3ac20fe000cbc6d9

commit 512a302d75d91952fc441e5d3ac20fe000cbc6d9
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-01-11 19:37:44 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-01-11 19:37:44 +0000

    app-shells/dash: Security cleanup
    
    Bug: https://bugs.gentoo.org/754267
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-shells/dash/Manifest             |  1 -
 app-shells/dash/dash-0.5.11.2.ebuild | 57 ------------------------------------
 app-shells/dash/dash-0.5.11.3.ebuild | 57 ------------------------------------
 3 files changed, 115 deletions(-)

Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-25 19:17:48 UTC

Not CVE worthy. Attack would require that attacker is able to provide arbitrary arguments to dash. But if an attacker is already able to perform command injections like `dash -n -c '<malicious command>'`, this is a different story and unrelated to -n.

Repository is clean, all done!