** Tags removed: wily yakkety zesty
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to duplicity in Ubuntu.
https://bugs.launchpad.net/bugs/1519103
Title:
Shell Code Injection in hsi backend
Status in duplicity package in Ubuntu:
Confirmed
Bug description:
The "hsi" backend of duplicity is vulnerabe to code injections.
It uses os.popen3() with should be replaced with subprocess.Popen().
Thank you.
File :
-------
/usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py
This is the function witch is vulnerable :
------------------------------------------------------------
def _list(self):
commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
l = os.popen3(commandline)[2].readlines()[3:]
Exploit Demo :
============
On the Terminal type in :
$ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug
--> This will start the program xeyes , but should not.
I attached a screenshot of the exploit demo.
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: duplicity 0.7.02-1ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-18.22-generic 4.2.3
Uname: Linux 4.2.0-18-generic x86_64
ApportVersion: 2.19.1-0ubuntu5
Architecture: amd64
CurrentDesktop: MATE
Date: Mon Nov 23 22:09:23 2015
InstallationDate: Installed on 2015-11-13 (9 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
SourcePackage: duplicity
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
