Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 608732 (CVE-2017-5932) - <app-shells/bash-4.4_p7: Code execution vulnerability in the autocompletion
Summary: <app-shells/bash-4.4_p7: Code execution vulnerability in the autocompletion
Alias: CVE-2017-5932
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: ~2 [noglsa cve]
Depends on:
Reported: 2017-02-09 11:03 UTC by Agostino Sarubbo
Modified: 2017-07-16 21:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-02-09 11:03:10 UTC
From ${URL} :

A detailed description can be found in our report (available at | direct link

In short: We can create a file with a specially crafted file name. A
user trying to use bash' path completion feature ('TAB-completion') on
this file will execute shell code without any additional actions taken.

The issue has been reported on 2017-01-17, a fix has been added to the
git's master branch on 2017-01-20 by GNU/bash maintainer Chet Ramey
(Commit ID 4f747edc625815f449048579f6e65869914dd715, available at

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2017-03-15 18:45:14 UTC
this fix is already in the tree -- it was the bash44-007 patch.  the bug only affects the bash-4.4 series as the code in question is new to it.

bash-4.4 isn't yet stable either, so doesn't impact those systems.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-17 21:04:19 UTC
Affected version was never stable according to comment #1.

Cleanup PR: