Bug 1114853 - (CVE-2018-20106) VUL-1: CVE-2018-20106: yast2-printer: SMB printer settings test fails if the password includes a backtick
VUL-1: CVE-2018-20106: yast2-printer: SMB printer settings test fails if the ...
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Other Other
: P4 - Low : Normal (vote)
: ---
Assigned To: Johannes Meixner
E-mail List
Depends on:
  Show dependency treegraph
Reported: 2018-11-06 13:00 UTC by Dainius Masiliunas
Modified: 2023-03-22 14:07 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
karol: needinfo? (jsmeix)


Note You need to log in before you can comment on or make changes to this bug.
Description Dainius Masiliunas 2018-11-06 13:00:11 UTC
In YaST printer settings, connection wizard, SMB/CIFS option, if the password of the user includes a backtick character, YaST always fails the connection test with the error:

sh: -c: line 0: unexpected EOF while looking for matching ``'
sh: -c: line 1: syntax error: unexpected end of file

If that backtick is escaped with a backslash, it works, but the backslash is considered to be a part of the password... So then it fails to actually print. So either the connection test succeeds, or the printing succeeds, not both.

On a somewhat related note, I wonder if there is a way to specify that the username and password ought to be requested every time from the user, instead of being stored on disk.
Comment 1 Johannes Segitz 2018-11-07 16:46:08 UTC
This is a security issue. I'm currently looking at issues like these in bsc#353876, but we can track this one already here
Comment 2 Martin Vidner 2018-11-15 13:15:35 UTC
Confirmed on Leap 15.0:
Print via Network > Connection Wizard > Windows...(SMB/CIFS) > fill in Server+Printer+User+Password `xeyes` > Test Connection

 y2log says:
2018-11-15 14:07:33 <1> dhcp52(2290) [Ruby] modules/Printerlib.rb:97 Executing bash commandline: /usr/lib/YaST2/bin/test_remote_smb "myworkgroup" "myserver" "myprinter" "myuser" "mypass`xeyes`" 5
Comment 3 Johannes Meixner 2018-11-16 14:34:18 UTC
As far as I remember at the time when the yast2-printer test scripts
were made the reasoning why there are no input value checks was
that when those scripts are called from the YaST printer module
it was 'root' who made the inputs values.

If root thinks it is a good idea to use e.g. '$( rm -rf / )'
as password, he should know about possible consequences.

Even when those scripts are called by another user that user
should also know how things work.

As far as I remember from the past (since a longer time
I do no longer work on YaST modules - my last yast2-printer
RPM changelog entry is from Jan. 2015) there are in general
no such kind of input value checks in YaST so that root
could provide e.g. '$( rm -rf / )' at many places in YaST.
Comment 4 Johannes Segitz 2018-11-16 14:52:13 UTC
(In reply to Johannes Meixner from comment #3)
We have two problems here. One is usability. Some passwords just don't work, so we need to fix it anyway.

The other is a security problem. You're correct that root specifies these values, so we could go with the 'he has the right to shoot himself' argument. But we would like to add additional hardening measures since it's hard to judge if the input might not come from an untrusted source later on. So as a hardening measure we currently check problems like these (bsc#353876) and want to have them fixed.
Comment 5 Dainius Masiliunas 2018-11-16 15:42:50 UTC
I don't agree with the argument to begin with; if root sets the password as '$( rm -rf / )', they expect that this will make it so that the password is '$( rm -rf / )', rather than executing the password as a command. (Also, in this case the password is not root's, it's the printer's, so the user may have no control over what it is.)
Comment 6 Johannes Segitz 2019-01-07 13:07:10 UTC
I assigned CVE-2018-20106 for further tracking
Comment 7 Karol Babioch 2019-01-07 13:52:07 UTC
Looking at the code of connectionwizard.rb [1] it seems that the vulnerable code was introduced with commit 5305ab79, which converted YCP files into Ruby. The code prior to that looks also vulnerable to this, although I did not test it.

Unfortunately tags are not being used consistently, so I don't know which exact versions and/or codestreams are affected by this:

          password = (string)UI::QueryWidget( `pass, `Value );
          test_command = sformat( "%1test_remote_smb \"%2\" \"%3\" \"%4\" \"%5\" \"%6\" %7",
          if( ! Printerlib::ExecuteBashCommand( test_command) )

It was first introduced with commit fe970eca. Prior to that the code looked something like that:

            if( size( smb["user"]:"" ) > 0
                && size( smb["pass"]:"" ) > 0
            { connection_uri = sformat( "%1%2:%3@",

This connection_uri string is then handed over to the Printer object, but no Bash invocation is happening here (at least not in this module). After having a quick look at the the code in question, I couldn't find any suspicious looking command execution. However, I might have missed something.

[1]: https://github.com/yast/yast-printer/blob/master/src/include/printer/connectionwizard.rb#L2972
Comment 8 Johannes Meixner 2019-12-05 14:09:56 UTC
Got fixed via
Comment 9 Marcus Meissner 2023-03-22 13:32:33 UTC
so far not fixed for 


we should still fix it there if possible.