On 01.12.2015 22:44, Bernd Dietzel wrote: > second test : > > use the path > > /tmp/ --log-file=xxx >
1. can you provide a proper command line that illustrates a problem? along the lines of 'duplicity /local/path rsync://' 2. this would be a simple bug, but no security issue. actually what you describe is legally possible with duplicity by using the parameter --rsync-options. if you can come up w/ an attack where the filenames on the backend were maliciously modified in a way that exploits a locally run duplicity, than you'd have me convinced instantly. ..ede/duply.net -- You received this bug notification because you are a member of duplicity-team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1520691 Title: Shell Code Injection in hsi backend Status in Duplicity: Fix Committed Bug description: https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103 The "hsi" backend of duplicity is vulnerabe to code injections. It uses os.popen3() with should be replaced with subprocess.Popen(). Thank you. File : ------- /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py This is the function witch is vulnerable : ------------------------------------------------------------ def _list(self): commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir) l = os.popen3(commandline)[2].readlines()[3:] Exploit Demo : ============ On the Terminal type in : $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug --> This will start the program xeyes , but should not. I attached a screenshot of the exploit demo. To manage notifications about this bug go to: https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~duplicity-team Post to : [email protected] Unsubscribe : https://launchpad.net/~duplicity-team More help : https://help.launchpad.net/ListHelp
