Security Advisory for Buildkite Agent and Bash 5.2
UPDATE: Agent 3.39.1 and AWS Elastic Stack for Buildkite 5.11.2 have been released to resolve this issue. We recommend you update to these versions if you are running Bash 5.2.
Bash 5.2 and the Buildkite Agent have a compatibility issue. This issue may reveal the values of environment variables exported by hooks that contain multiple lines. We recommend avoiding updating Bash until the Agent has been updated as well.
This new version of Bash was released 16 days ago. It includes an update that changes how environment variables are exported. When variables contain multiple lines Bash now exports them using $'...'
style quoting.
The Buildkite Agent allows using hooks to customise how jobs are run. These hooks are Bash scripts. Hooks can change environment variables, and those changes are propagated into later hooks and commands. This is done by exporting the variables from the Bash script and parsing that output. It doesn't yet understand this new style of quoting, so environment variables with newlines are currently parsing incorrectly, and so are being lost between hooks and commands.
The Agent will print the names of environment variables which are changed by hooks. This new style of quote is mis-parsed, however, and the value may be considered part of the name. This can cause an escaped version of the value to be printed within the job log by mistake.
We're working on a fix to the agent, and should have a release out shortly.
In the meantime, we recommend remaining on Bash 5.1 or lower. You can check your Bash version with bash --version
.
If you are running Bash 5.2 already, we recommend auditing your environment variables to see if any secrets contain newlines. If so, we recommend revoking those secrets, and rotating them to new values once you have downgraded Bash, or upgraded the Agent.
Samuel
Start turning complexity into an advantage
Create an account to get started with a 30-day free trial. No credit card required.