compgen -W evaluation is leading to security holes

[joey]

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-pc-linux-gnu' 
-DCONF_VENDOR='pc' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL 
-DHAVE_CONFIG_H   -I.  -I../. -I.././include -I.././lib  -Wdate-time 
-D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/bash-JkMlAz/bash-4.4.18=. 
-fstack-protector-strong -Wformat -Werror=format-security -Wall 
-Wno-parentheses -Wno-format-security
uname output: Linux darkstar 4.17.0-3-amd64 #1 SMP Debian 4.17.17-1 
(2018-08-18) x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu

Bash Version: 4.4
Patch Level: 23
Release Status: release

Description:

CVE-2018-7738 was caused by a bash completion script using compgen -W
with untrusted input. For some reason compgen -W evals its input:

        $ compgen -W '`cat /etc/shadow`'
        cat: /etc/shadow: Permission denied

Which makes code like this turn out to be a security hole:

        DEVS_MPOINTS="$(mount | awk '{print $1, $3}')"
        COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) )

Grimm reviewed several other bash completion scripts for similar security
holes, and while they didn't find any, there were several near misses
where the code was probably only not explitable by accident.
https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/

I don't know why compgen -W evals; there may be a good reason. Or it may be
a bug. The documentation for compgen does not seem to mention this
behavior. Even if there's a good reason for it to do that, it's certianly
violating least surprise, because "$foo" is normally safe to use in a shell
script without worrying about the content of the variable being
accidentially evaluated -- unless you're running something like eval 
or bash -c that explicitly does so.

Repeat-By:

        compgen -W '`cat`'