#16 bash command execution through -V and locale_dir variable

[kirotawa]

Hi there,

I found what seems to be an issue that can lead to an expose sensitive information as the /etc/passwd file while setting a DOS2UNIX_LOCALDIR with bash commands.

Version I tested was: 7,4.0
OS/distro: Ubuntu 16.04

Steps to reproduce:
export DOS2UNIX_LOCALEDIR="tail ../../../etc/passwd"
dos2unix -V

dos2unix 7.4.0 (2017-10-10)
With Unicode UTF-16 support.
With native language support.
With support to preserve the user and group ownership of files.
LOCALEDIR: Debian-exim❌122:130::/var/spool/exim4:/bin/false
libvirt-qemu❌64055:132:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
(...)
http://waterlan.home.xs4all.nl/dos2unix.html

Please, If it is confirmed please, assign the credits to: Leonidas S. Barbosa.

[Erwin Waterlander]

Hi,

Thanks for the report.
Could you do an echo of $DOS2UNIX_LOCALEDIR, before you execute dos2unix -V?

This is what I get on Fedora 28, bash 4.4.23.

$ export DOS2UNIX_LOCALEDIR="tail ../../../etc/passwd"
$ echo $DOS2UNIX_LOCALEDIR
tail ../../../etc/passwd
$ dos2unix -V
dos2unix 7.4.0 (2017-10-10)
With Unicode UTF-16 support.
With native language support.
With support to preserve the user and group ownership of files.
LOCALEDIR: tail ../../../etc/passwd
http://waterlan.home.xs4all.nl/dos2unix.html

[kirotawa]

Yes,
Still getting the same behaviour

export DOS2UNIX_LOCALEDIR="tail ../../../etc/passwd"
:/tmp/dos2unix-7.4.0$ echo $DOS2UNIX_LOCALEDIR
Debian-exim❌122:130::/var/spool/exim4:/bin/false libvirt-qemu❌64055:132:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false libvirt-dnsmasq❌123:131:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false sbuild❌124:133:Debian source builder,,,:/var/lib/sbuild:/bin/bash sshd❌125:65534::/var/run/sshd:/usr/sbin/nologin
(...)
kirotawa@r3dl41n:/tmp/dos2unix-7.4.0$ dos2unix -V
dos2unix 6.0.4 (2013-12-30)
With Unicode UTF-16 support.
With native language support.
LOCALEDIR: Debian-exim❌122:130::/var/spool/exim4:/bin/false
libvirt-qemu❌64055:132:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
libvirt-dnsmasq❌123:131:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
sbuild❌124:133:Debian source builder,,,:/var/lib/sbuild:/bin/bash
sshd❌125:65534::/var/run/sshd:/usr/sbin/nologin
(...)

Bash version: 4.3.48(1)-release on Ubuntu 16.04.

[kirotawa]

Oh, wait a sec, the post here is editting and is taking off the accute acent on the test entry.
see, it's DOS2UNIX_LOCALEDIR="accute acent command accute acent"

[Erwin Waterlander]

Hi,

Because you put the command tail ../../../etc/passwd between accute accents, tail is alreay executed when you do the export command. The output of the tail command is assigned to DOS2UNIX_LOCALEDIR. Dos2unix prints the value of $DOS2UNIX_LOCALEDIR, same as echo does. Dos2unix does not execute the tail command.

[kirotawa]

Yep, make sense. Sorry for the noise.

[Erwin Waterlander]

no problem