not at all. rsync --rsh="binary" is a feature. if you are complaining that rsync runs another binary feel free to complain to the rsync devs. you should consider consulting rsync manpage first about what --rsh is meant for though.
and eventually - this is no exploit. it's merely a parsing bug which should of course be fixed, when time allows. as i wrote earlier " if you can come up w/ an attack where the filenames on the backend were maliciously modified in a way that exploits a locally run duplicity, than you'd have me convinced instantly. " happy hunting.. ede/duply.net -- You received this bug notification because you are a member of duplicity-team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1520691 Title: Shell Code Injection in hsi backend Status in Duplicity: Fix Committed Bug description: https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103 The "hsi" backend of duplicity is vulnerabe to code injections. It uses os.popen3() with should be replaced with subprocess.Popen(). Thank you. File : ------- /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py This is the function witch is vulnerable : ------------------------------------------------------------ def _list(self): commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir) l = os.popen3(commandline)[2].readlines()[3:] Exploit Demo : ============ On the Terminal type in : $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug --> This will start the program xeyes , but should not. I attached a screenshot of the exploit demo. To manage notifications about this bug go to: https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~duplicity-team Post to : [email protected] Unsubscribe : https://launchpad.net/~duplicity-team More help : https://help.launchpad.net/ListHelp
