*** This bug is a security vulnerability *** You have been subscribed to a private security bug by Kenneth Loafman (kenneth-loafman):
https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103 The "hsi" backend of duplicity is vulnerabe to code injections. It uses os.popen3() with should be replaced with subprocess.Popen(). Thank you. File : ------- /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py This is the function witch is vulnerable : ------------------------------------------------------------ def _list(self): commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir) l = os.popen3(commandline)[2].readlines()[3:] Exploit Demo : ============ On the Terminal type in : $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug --> This will start the program xeyes , but should not. I attached a screenshot of the exploit demo. ** Affects: duplicity Importance: Medium Assignee: Kenneth Loafman (kenneth-loafman) Status: In Progress -- Shell Code Injection in hsi backend https://bugs.launchpad.net/bugs/1520691 You received this bug notification because you are a member of duplicity-team, which is subscribed to the bug report. _______________________________________________ Mailing list: https://launchpad.net/~duplicity-team Post to : [email protected] Unsubscribe : https://launchpad.net/~duplicity-team More help : https://help.launchpad.net/ListHelp
