From ${URL} : Björn Bosselmann reported to the Debian bugtracker[0], that the umount bash-completion as provided by the util-linux source does not escape mount point paths. A user with privileges to mount filesystems can embbed shell commands in a mountpoint name and taking advantage of this flaw to gain privilgeges. The issue was (indirectly) in [1] while adressing another issue. MITRE has assigned 'CVE-2018-7738' for this issue. Regards, Salvatore [0] https://bugs.debian.org/892179 [1] https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da1d16289d67d7d99ec17e1d04f0aa0bbab5c7b8 commit da1d16289d67d7d99ec17e1d04f0aa0bbab5c7b8 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2018-03-07 09:27:46 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2018-03-07 09:27:46 +0000 sys-apps/util-linux: Revbump fix bash-completion umount code execution Committed straight to stable. Bug: https://bugs.gentoo.org/649812 Package-Manager: Portage-2.3.24, Repoman-2.3.6 .../util-linux-2.32_rc2-umount_completion.patch | 41 ++++++++++++++++++++++ ...x-2.30.2.ebuild => util-linux-2.30.2-r1.ebuild} | 4 +++ ...x-2.31.1.ebuild => util-linux-2.31.1-r1.ebuild} | 4 +++ 3 files changed, 49 insertions(+)}
New GLSA request filed.
This issue was resolved and addressed in GLSA 201803-02 at https://security.gentoo.org/glsa/201803-02 by GLSA coordinator Thomas Deutschmann (whissi).