[Bug 1694007] Re: externalcommand.py : Shell injection with a Path name
As you can see above, help() does not show the help of program abc but runs a shell command in the middle of the path and the path gets broken. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1694007 Title: externalcommand.py : Shell injection with a Path name To manage notifications about this bug go to: https://bugs.launchpad.net/bzr/+bug/1694007/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1694007] Re: externalcommand.py : Shell injection with a Path name
Screenshot ** Attachment added: "Screenshot" https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1694007/+attachment/4884537/+files/screenshot.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1694007 Title: externalcommand.py : Shell injection with a Path name To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1694007/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1694007] [NEW] externalcommand.py : Shell injection with a Path name
Public bug reported:
If inside the path is a shell command, it will be executed.
In this demo the program xeyes will start but should not :
~ $ python
Python 2.7.12 (default, Nov 19 2016, 06:48:10)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import bzrlib.externalcommand as E
>>> x=E.ExternalCommand('/tmp/$(xeyes)/test/abc')
>>> y=x.help()
sh: 1: /tmp//test/abc: not found
>>> # xeyes does run now #
Package:
python-bzrlib
File:
/usr/lib/python2.7/dist-packages/bzrlib/externalcommand.py
Line 64:
pipe = os.popen('%s --help' % self.path)
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: python-bzrlib 2.7.0-2ubuntu3
ProcVersionSignature: Ubuntu 4.4.0-66.87-generic 4.4.44
Uname: Linux 4.4.0-66-generic x86_64
NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
ApportVersion: 2.20.1-0ubuntu2.6
Architecture: amd64
CurrentDesktop: X-Cinnamon
Date: Sat May 27 13:00:36 2017
InstallationDate: Installed on 2016-07-31 (300 days ago)
InstallationMedia: Linux Mint 18 "Sarah" - Release amd64 20160628
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=
LANG=de_DE.UTF-8
SHELL=/bin/bash
SourcePackage: bzr
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: bzr (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug sarah
** Attachment removed: "Dependencies.txt"
https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1694007/+attachment/4884525/+files/Dependencies.txt
** Attachment removed: "JournalErrors.txt"
https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1694007/+attachment/4884526/+files/JournalErrors.txt
** Attachment removed: "ProcCpuinfoMinimal.txt"
https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1694007/+attachment/4884527/+files/ProcCpuinfoMinimal.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1694007
Title:
externalcommand.py : Shell injection with a Path name
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1694007/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1586514] Re: Shell Injection / filename
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1586514 Title: Shell Injection / filename To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mate-dock-applet/+bug/1586514/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1598438] [NEW] dialog.pl allows to inject shell code
Public bug reported:
File : /usr/share/perl5/dialog.pl
Line 25, 42, 62, 77 :
system("dialog --title \"$title\" --textbox $file $height $width");
The perl script "dialog.pl" uses the system() command.
So shell code in a path and/or file name could be executed.
For Example like in this perl demo script:
require "dialog.pl";
rhs_textbox("Demo",";xeyes;#.txt","100","100");
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: dialog 1.2-20130928-1
ProcVersionSignature: Ubuntu 3.19.0-32.37~14.04.1-generic 3.19.8-ckt7
Uname: Linux 3.19.0-32-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.14.1-0ubuntu3.21
Architecture: amd64
CurrentDesktop: X-Cinnamon
Date: Sat Jul 2 15:44:59 2016
InstallationDate: Installed on 2016-06-18 (14 days ago)
InstallationMedia: Linux Mint 17.3 "Rosa" - Release amd64 20151128
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=
LANG=de_DE.UTF-8
SHELL=/bin/bash
SourcePackage: dialog
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: dialog (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug rosa
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598438
Title:
dialog.pl allows to inject shell code
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dialog/+bug/1598438/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1513964] Re: dsextras.py : Shell Command Injection with a pkg name
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1513964 Title: dsextras.py : Shell Command Injection with a pkg name To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pygobject-2/+bug/1513964/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1586346] Re: Shell injection with a GTK-Bookmark
** Attachment added: "recent.py has the same problem / Screenshot" https://bugs.launchpad.net/ubuntu/+source/mate-menu/+bug/1586346/+attachment/4671530/+files/Screenshot%20recent.py%20%20bug.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1586346 Title: Shell injection with a GTK-Bookmark To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mate-menu/+bug/1586346/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1586346] Re: Shell injection with a GTK-Bookmark
...and Remove this os.system calls, too please :-)
/usr/share/mate-menu/plugins/recent.py:189:
x = os.system("gvfs-open \""+filename+"\"")
/usr/share/mate-menu/plugins/applications.py:991:
os.system("rm \"%s\" &" % desktopEntry.desktopFile)
/usr/share/mate-menu/plugins/applications.py:1095:
os.system(fullstring + " &")
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1586346
Title:
Shell injection with a GTK-Bookmark
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mate-menu/+bug/1586346/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1586346] [NEW] Shell injection with a GTK-Bookmark
Public bug reported:
Shell Commands can be injected
when the file ~/.gtk-bookmarks contains for example a path like this :
/temp/$(xeyes)/test/
In the settings of the mate-menu the option to show the gtk-bookmarks in
the places must be checked to make it work.
See attached screenshot.
Reason is this os.system call ...
File : /usr/share/mate-menu/plugins/places.py
os.system("caja \"%s\" &" % path)
... which should be better replaced with subprocess.
Thank you :-)
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: mate-menu 5.7.1-1
ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
Uname: Linux 4.4.0-22-generic i686
ApportVersion: 2.20.1-0ubuntu2
Architecture: i386
CurrentDesktop: MATE
Date: Fri May 27 12:30:35 2016
InstallationDate: Installed on 2016-01-10 (137 days ago)
InstallationMedia: Linux 15.10 - Release i386
PackageArchitecture: all
SourcePackage: mate-menu
UpgradeStatus: Upgraded to xenial on 2016-05-07 (20 days ago)
** Affects: mate-menu (Ubuntu)
Importance: Undecided
Status: New
** Tags: apport-bug i386 xenial
** Attachment added: "Screenshot"
https://bugs.launchpad.net/bugs/1586346/+attachment/4671231/+files/Screenshot%20.png
** Attachment removed: "ProcEnviron.txt"
https://bugs.launchpad.net/ubuntu/+source/mate-menu/+bug/1586346/+attachment/4671234/+files/ProcEnviron.txt
** Attachment removed: "JournalErrors.txt"
https://bugs.launchpad.net/ubuntu/+source/mate-menu/+bug/1586346/+attachment/4671233/+files/JournalErrors.txt
** Attachment removed: "Dependencies.txt"
https://bugs.launchpad.net/ubuntu/+source/mate-menu/+bug/1586346/+attachment/4671232/+files/Dependencies.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1586346
Title:
Shell injection with a GTK-Bookmark
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mate-menu/+bug/1586346/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
OK, check this new patch for the audacious scope. - No injections - Multiple Tracks - Database issues ** Attachment added: "new audacious patch - multiple tracks + database" https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+attachment/4664912/+files/audacious%20-%20db%20-%20patch.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
@Seth , you Comment 17 :
I had a look on audacious the db-file access :
for collection in os.listdir(AUDACIOUS_DBFILE):
dbfile = '%s/%s' % (AUDACIOUS_DBFILE, collection)
database = open(dbfile, "r")
database = database.read()
if not database.startswith("title:Library"):
records = database[14:]
records = records.split("uri=")
else:
records = ""
What i can see are some bugs like this :
1) On my PC, the Database entry is not english "title:Library", but in my
language "title=Sammlung" , notice it is written with "=" not with ":"
2) So "records = database[14:]" should be somewhat like "records = database[5:]"
3) There is no filter to use files with ".audpl" extension only.
4) There is a "//" in the dbfile Path
is it that what you mean ?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1483037
Title:
Possible Shell Command Injection in daemon
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
New patch for unity_audacious_daemon.py with better handling of multiple tracks ** Attachment added: "audacious patch - multiple tracks" https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+attachment/4663521/+files/audacious-patch%20%20with%20%20multiple%20tracks.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1550676] Re: analyze_suspend.py may allow shell code injection
** Attachment removed: "WifiSyslog.txt" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+attachment/4582509/+files/WifiSyslog.txt ** Attachment removed: "UdevDb.txt" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+attachment/4582508/+files/UdevDb.txt ** Attachment removed: "Lsusb.txt" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+attachment/4582502/+files/Lsusb.txt ** Attachment removed: "CurrentDmesg.txt" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+attachment/4582498/+files/CurrentDmesg.txt ** Attachment removed: "AlsaInfo.txt" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+attachment/4582496/+files/AlsaInfo.txt ** Attachment removed: "PulseList.txt" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+attachment/4582507/+files/PulseList.txt ** Attachment removed: "ProcModules.txt" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+attachment/4582506/+files/ProcModules.txt ** Attachment removed: "ProcInterrupts.txt" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+attachment/4582505/+files/ProcInterrupts.txt ** Attachment removed: "CRDA.txt" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+attachment/4582497/+files/CRDA.txt ** Attachment removed: "Dependencies.txt" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+attachment/4582499/+files/Dependencies.txt ** Attachment removed: "ProcEnviron.txt" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+attachment/4582504/+files/ProcEnviron.txt ** Attachment removed: "ProcCpuinfo.txt" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+attachment/4582503/+files/ProcCpuinfo.txt ** Attachment removed: "Lspci.txt" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+attachment/4582501/+files/Lspci.txt ** Attachment removed: "JournalErrors.txt" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+attachment/4582500/+files/JournalErrors.txt ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1550676 Title: analyze_suspend.py may allow shell code injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1550653] [NEW] platform.py uses os.popen command
Public bug reported:
Uses depreached os.popen command.
Shell Code can be injected, see example below.
Replace it with subprocess please.
file :
/usr/lib/python3.5/platform.py
line 416:
return os.popen(cmd, mode, bufsize)
Example which starts the program xeyes but should not :
~$ python
Python 2.7.11+ (default, Feb 22 2016, 16:38:42)
[GCC 5.3.1 20160222] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import platform
>>> filename = 'bad file ;xeyes;# name.png'
>>> platform.popen('ls %s' %filename)
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libpython3.5-minimal 3.5.1-6ubuntu2
ProcVersionSignature: Ubuntu 4.4.0-7.22-generic 4.4.2
Uname: Linux 4.4.0-7-generic x86_64
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Sat Feb 27 07:16:55 2016
InstallationDate: Installed on 2016-02-22 (4 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Alpha amd64 (20160219)
SourcePackage: python3.5
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: python3.5 (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug xenial
** Attachment removed: "Dependencies.txt"
https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1550653/+attachment/4582374/+files/Dependencies.txt
** Attachment removed: "JournalErrors.txt"
https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1550653/+attachment/4582375/+files/JournalErrors.txt
** Attachment removed: "ProcEnviron.txt"
https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1550653/+attachment/4582376/+files/ProcEnviron.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1550653
Title:
platform.py uses os.popen command
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1550653/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1545527] [NEW] Shell Injection with a custom panel layout
Public bug reported: line 360-361 : cmd = 'dconf load /org/mate/panel/ < /usr/share/mate-panel/layouts/' + new_layout + '.panel' os.system(cmd) If the file name of a layout contains shell commands, they may be executed by os.system. Replace os.system with subprocess please. Thank you :-) ** Affects: mate-tweak (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1545527 Title: Shell Injection with a custom panel layout To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mate-tweak/+bug/1545527/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
For a Shotwell Scope SQL injection Demo , i attached a screenshot. Code can be injected with a file name in the function getPhotoForUri. Demonstration: a) rename some picture like this xx " UNION SELECT 1,'2','Hello','World',5,6,7,8,9,10,11,12,'13','14','15',16,17,18,19,20,21,22,23,24,'25',26,27,28,29 -- ".png b) start shotwell and ensure the picture gets into the shotwell database c) close shotwell d) Search for xx in the Unity Dash and click on the picture e) Have look at the picture dimensions and the size. It reads "Hello x World Pixels", size : 5.0b. This is only a harmles demo. Other things may happen like crashes or code execution. ** Attachment added: "unity-scope-shotwell SQL injection Demo" https://bugs.launchpad.net/ubuntu/+source/unity-scope-clementine/+bug/1483037/+attachment/4542841/+files/screenshot.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1514046] Re: Shell command injection - samba-tool domain classicupgrade
public in upstream https://bugzilla.samba.org/show_bug.cgi?id=11601#c7 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1514046 Title: Shell command injection - samba-tool domain classicupgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1514046/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1514046] Re: Shell command injection - samba-tool domain classicupgrade
public in upstream https://bugzilla.samba.org/show_bug.cgi?id=11601#c7 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1514046 Title: Shell command injection - samba-tool domain classicupgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1514046/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
@David shotwell , firefoxbookmarks, chromiumbookmarks and zotero scope may be checked for sql injections, too. Example : Some code of the shotwell scope : sql='select * from PhotoTable where filename = \"'+filename+'\"' -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
My new Clementine Patch. I had a look on the other patches to fix the SQL injections. Fixed utf8 decoding to crash with try and except. Hope it works. Please test. ** Attachment added: "clementine patch , Shell Injections + SQL Injections + UTF8 Crash" https://bugs.launchpad.net/ubuntu/+source/unity-scope-clementine/+bug/1483037/+attachment/4537605/+files/diff.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
Seens the bug is already known and fixed since 2014 but found not its way to ubuntu repos. http://bugs.python.org/issue22636 ** Information type changed from Private Security to Public Security ** Bug watch added: Python Roundup #22636 http://bugs.python.org/issue22636 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
@Marc Yes , if some application has a bug , for example MintNanny : https://bugs.launchpad.net/linuxmint/+bug/1460835 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
@David Did you noticed that the albumtracks are a list and not a simple string ? Have a look on my "Better patch for unity_clementine_daemon.py" on comment #10 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1514183] Re: distutils : file "bdist_rpm.py" allows Shell injection in "name"
Reported to Upstream : http://bugs.python.org/issue25627 ** Bug watch added: Python Roundup #25627 http://bugs.python.org/issue25627 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1514183 Title: distutils : file "bdist_rpm.py" allows Shell injection in "name" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1514183] Re: distutils : file "bdist_rpm.py" allows Shell injection in "name"
Hello Tyler, i only used the setup script because the distutils.core.setup() function takes such a large number of arguments, so its more easy to read than in one single line of code. No, i haven't reported this issue to upstream. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1514183 Title: distutils : file "bdist_rpm.py" allows Shell injection in "name" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1514183] [NEW] distutils : file "bdist_rpm.py" allows Shell injection in "name"
*** This bug is a security vulnerability *** Public security bug reported: File : /usr/lib/python2.7/distutils/command/bdist_rpm.py Line 358 : This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() : out = os.popen(q_cmd) Exploit demo : 1) Download the setup.py script wich i attached 2) Create a test folder an put the setup.py script in this folder 3) cd to the test folder 4) python setup.py bdist_rpm 5) A xmessage window pops up as a proof of concept ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3 Uname: Linux 4.2.0-17-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: Unity Date: Sun Nov 8 13:47:34 2015 InstallationDate: Installed on 2015-10-22 (16 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: python2.7 (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug wily ** Attachment added: "Exploit demo setup.py script with a Shell command in "name"" https://bugs.launchpad.net/bugs/1514183/+attachment/4515059/+files/setup.py ** Summary changed: - distutils : filebdist_rpm.py allows Shell injection in "name" + distutils : file "bdist_rpm.py" allows Shell injection in "name" ** Information type changed from Public to Public Security ** Description changed: File : /usr/lib/python2.7/distutils/command/bdist_rpm.py - Line 358 : - This line in the code uses the depreached os.popen command, should be replaced with supbprocess.Popen() : + Line 358 : + This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() : out = os.popen(q_cmd) Exploit demo : 1) Download the setup.py script wich i attached 2) Create a test folder an put the setup.py script in this folder 3) cd to the test folder 4) python setup.py bdist_rpm 5) A xmessage window pops up as a proof of concept ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3 Uname: Linux 4.2.0-17-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: Unity Date: Sun Nov 8 13:47:34 2015 InstallationDate: Installed on 2015-10-22 (16 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1514183 Title: distutils : file "bdist_rpm.py" allows Shell injection in "name" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] [NEW] Python ctypes.util , Shell Injection in find_library()
Public bug reported:
https://github.com/Legrandin/ctypes/issues/1
The find_library() function can execute code when special chars like ;|`<>$ are
in the name.
The "os.popen()" calls in the util.py script should be replaced with
"subprocess.Popen()".
Demo Exploits for Linux :
>>> from ctypes.util import find_library
>>> find_library(";xeyes")# runs xeyes
>>> find_library("|xterm")# runs terminal
>>> find_library("")# runs gimp
>>> find_library("$(nautilus)") # runs filemanager
>>> find_library(">test") # creates, and if exists,
>>> erases a file "test"
Traceback
>>> find_library("`xmessage hello`")# shows a message, press ctrl+c for
>>> Traceback
^CTraceback (most recent call last):
File "", line 1, in
File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library
return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc
trace = f.read()
KeyboardInterrupt
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: libpython2.7-stdlib 2.7.10-4ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
Uname: Linux 4.2.0-16-generic x86_64
ApportVersion: 2.19.1-0ubuntu4
Architecture: amd64
CurrentDesktop: XFCE
Date: Sun Nov 1 10:34:38 2015
InstallationDate: Installed on 2015-10-09 (22 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: python2.7
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: python2.7 (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug wily
** Attachment removed: "JournalErrors.txt"
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+attachment/4510277/+files/JournalErrors.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1512068
Title:
Python ctypes.util , Shell Injection in find_library()
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1509835] Re: Possible Shell Command Injection
my demo exploit video (german) https://www.youtube.com/watch?v=QGAjwKF5d3w -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1509835 Title: Possible Shell Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt-offline/+bug/1509835/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1509835] Re: Possible Shell Command Injection
My improved Patch Nr. 2 ** Patch added: "This patch can split the opts string and has a stdout and a stderr" https://bugs.launchpad.net/ubuntu/+source/apt-offline/+bug/1509835/+attachment/4509935/+files/Patch2.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1509835 Title: Possible Shell Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt-offline/+bug/1509835/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
#! /bin/sh # run this as root early in the boot order. No other script like hostname.sh should run later HOSTNAME="$(hostname|sed 's/[^A-Za-z0-9_\-\.]/x/g')";hostname "$HOSTNAME" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
script ** Attachment added: "changehostname.sh" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4510099/+files/changehostname.sh -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1509835] Re: Possible Shell Command Injection
My patch was accepted by Mr. Sarraf and fixed in apt-offline upstream repo. https://github.com/rickysarraf/apt-offline/blob/master/apt_offline_core/AptOfflineCoreLib.py -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1509835 Title: Possible Shell Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt-offline/+bug/1509835/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
I have reported it to upstream : http://bugs.python.org/issue24778 I have uploaded my patches to upstream: http://bugs.python.org/file40897/mailcap%20patch.zip ** Bug watch added: Python Roundup #24778 http://bugs.python.org/issue24778 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
I fixed a typo and make code shorter. New patch attached. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
** Patch added: "Patch for mailcap.py (pyhon 2.7)" https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+attachment/4507759/+files/PatchForMailCap.diff ** Attachment removed: "mailcap.py without shell injections" https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+attachment/4507034/+files/patch.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
My "Idea" for a quick bugfix : Inside the mailcap.py script, we copy the file to temp and give the file an random name like this ... /temp/.tmp ... and then resulting with the random name instead of the original name. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
My patch. 1) I removed the os.system() calls and append a new function "run" witch uses subprocess. 2) "Subst" function now uses quote() and is returning a list, not a string. So it can be passed to subprocess. 3) If you do not want to get back a command "string" but a command [list] , you can now call "findmatch_list" .. please test it. ** Patch added: "mailcap.py without shell injections" https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+attachment/4507034/+files/patch.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] [NEW] Shell Command Injection in "Mailcap" file handling
*** This bug is a security vulnerability ***
Public security bug reported:
https://docs.python.org/2/library/mailcap.html
mailcap.findmatch(caps, MIMEtype[, key[, filename[, plist]]])
Return a 2-tuple; the first element is a string containing the command line to
be executed (which can be passed to os.system()), ...
Security Bug in mailcap.findmatch() function :
1) If the "filename" or path contains a shell command , it will be injected
when you use os.system() to execute the resulting command line. As you can read
in the docs above, the function is designed to run os.system().
(Have a look at the Exploit Example 1 below )
2) If you try to 'quote' the filename before using mailcap.findmatch() , the
shell command can be injected too, because there may be another quoting inside
the mailcaps strings witch allows the shell commands to escape.
(Have a look at the Exploit Example 2 below)
3) There is no way to split the resulting command line in a correct way
afterwards into a list object with a "command" and its "parameters"
because after running the function you will never now if the characters
for splitting the line where a part of the the filename or a part of the
mailcap command in the first place. So even if you use subprocess for
executing the commandline instead of os.system , you can get in trouble
with unwanted parameters witch may make the viewer doing bad things.
Python Exploit Example 1 :
import mailcap , os
d=mailcap.getcaps()
FILE="';ls;#';ls;#.mp4"
cmd,m=mailcap.findmatch(d, "audio/mpeg4", filename=FILE)
os.system(cmd)
## this will lead to this in cmd :
## vlc '';ls;#';ls;#.mp4'
## Or it will lead us to this in cmd :
## vlc ';ls;#';ls;#.mp4
## No matter what, it will inject the ls command after you quit vlc
--
Python Exploit Example 2 :
import mailcap , os
try:
from shlex import quote
except ImportError:
from pipes import quote
d=mailcap.getcaps()
FILE=quote(";ls;#.txt")
cmd,m=mailcap.findmatch(d, "text/plain", filename=FILE)
os.system(cmd)
## this will lead to this in cmd :
## less '';ls;#.txt''
## And it will inject the ls command after you quit less '' with the Q key
--
TODO :
a) The Return 2-tuple Command line should be quoted in this way to make shell
commands stay inside the 'quotes' :
1.] Remove the quotes from the caps string, for example make it
less %s and NOT less '%s'
2.] Now quote the filename with quote(filename) , so we get for example
';xmessage hello world;#.txt'in the filename variable.
3.] Now we replace %s with the filename , so now we get
less ';xmessage hello world;#.txt' and NOTless '';xmessage
hello world;#.txt''
b) The mailcap.py script itself is using "os.system()" witch is vulnerable for
shell injections.
They should be all replaced with "subprocess.Popen()" or
"subprocess.call()".
c) The "MIMEtype" parameter is missing for test.
if there is %s in the 'test' entries key we get a "TypeError: cannot
concatenate 'str' and 'list' objects" error.
Should be like this :
test = subst( e['test'], MIMEtype, filename, plist)
d) Think about replacing this script completely with the "run-mailcap"
program of the debian project.
--
You can find mailcap.py in this locations :
libpython2.7-stdlib: /usr/lib/python2.7/mailcap.py
libpython3.4-stdlib: /usr/lib/python3.4/mailcap.py
libpython3.4-testsuite: /usr/lib/python3.4/test/test_mailcap.py
libpython3.5-stdlib: /usr/lib/python3.5/mailcap.py
libpython3.5-testsuite: /usr/lib/python3.5/test/test_mailcap.py
pypy-lib: /usr/lib/pypy/lib-python/2.7/mailcap.py
python-mailutils: /usr/lib/python2.7/dist-packages/mailutils/mailcap.py
--
Weblinks :
http://www.freiesmagazin.de/mobil/freiesMagazin-2015-10-bilder.html#fm_15_10_shell_command_injection
http://bugs.python.org/issue24778
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: libpython3.5-stdlib 3.5.0-3
ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
Uname: Linux 4.2.0-16-generic x86_64
ApportVersion: 2.19.1-0ubuntu3
Architecture: amd64
CurrentDesktop: XFCE
Date: Mon Oct 26 22:48:55 2015
InstallationDate: Installed on 2015-10-09 (16 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: python3.5
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: python3.5 (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug wily
** Information type changed from Private Security to Public Security
** Attachment removed: "JournalErrors.txt"
https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+attachment/4506156/+files/JournalErrors.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510317
Title:
Shell Command Injection in "Mailcap" file handling
To manage notifications about this bug go to:
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
** Description changed:
https://docs.python.org/2/library/mailcap.html
mailcap.findmatch(caps, MIMEtype[, key[, filename[, plist]]])
Return a 2-tuple; the first element is a string containing the command line
to be executed (which can be passed to os.system()), ...
Security Bug in mailcap.findmatch() function :
1) If the "filename" or path contains a shell command , it will be injected
when you use os.system() to execute the resulting command line. As you can read
in the docs above, the function is designed to run os.system().
(Have a look at the Exploit Example 1 below )
- 2) If you try to 'quote' the filename before using mailcap.findmatch() , the
shell command can be injected too, because there may be another quoting inside
the mailcaps strings witch allows the shell commands to escape.
- (Have a look at the Exploit Example 2 below)
+ 2) If you try to 'quote' the filename before using mailcap.findmatch() , the
shell command can be injected too, because there may be another quoting inside
the mailcaps strings witch allows the shell commands to escape.
+ (Have a look at the Exploit Example 2 below)
3) There is no way to split the resulting command line in a correct way
afterwards into a list object with a "command" and its "parameters"
because after running the function you will never now if the characters
for splitting the line where a part of the the filename or a part of the
- the mailcap command in the first place. So even if you use subprocess
- for executing the commandline instead of os.system , you can get in
- trouble with unwanted parameters witch may make the viewer doing bad
- things.
-
+ mailcap command in the first place. So even if you use subprocess for
+ executing the commandline instead of os.system , you can get in trouble
+ with unwanted parameters witch may make the viewer doing bad things.
Python Exploit Example 1 :
import mailcap , os
d=mailcap.getcaps()
FILE="';ls;#';ls;#.mp4"
cmd,m=mailcap.findmatch(d, "audio/mpeg4", filename=FILE)
os.system(cmd)
- ## this will lead to this in cmd :
- ## vlc '';ls;#';ls;#.mp4'
- ## Or it will lead us to this in cmd :
+ ## this will lead to this in cmd :
+ ## vlc '';ls;#';ls;#.mp4'
+ ## Or it will lead us to this in cmd :
## vlc ';ls;#';ls;#.mp4
## No matter what, it will inject the ls command after you quit vlc
-
+
--
Python Exploit Example 2 :
import mailcap , os
try:
- from shlex import quote
+ from shlex import quote
except ImportError:
- from pipes import quote
+ from pipes import quote
d=mailcap.getcaps()
FILE=quote(";ls;#.txt")
cmd,m=mailcap.findmatch(d, "text/plain", filename=FILE)
- os.system(cmd)
+ os.system(cmd)
## this will lead to this in cmd :
## less '';ls;#.txt''
## And it will inject the ls command after you quit less '' with the Q key
-
+
--
TODO :
a) The Return 2-tuple Command line should be quoted in this way to make shell
commands stay inside the 'quotes' :
- 1.] Remove the quotes from the caps string, for example make it
- less %s and NOT less '%s'
- 2.] Now quote the filename with quote(filename) , so we get for example
- ';xmessage hello world;#.txt'in the filename variable.
- 3.] Now we replace %s with the filename , so now we get
- less ';xmessage hello world;#.txt' and NOTless '';xmessage
hello world;#.txt''
-
+ 1.] Remove the quotes from the caps string, for example make it
+ less %s and NOT less '%s'
+ 2.] Now quote the filename with quote(filename) , so we get for example
+ ';xmessage hello world;#.txt'in the filename variable.
+ 3.] Now we replace %s with the filename , so now we get
+ less ';xmessage hello world;#.txt' and NOTless '';xmessage
hello world;#.txt''
+
b) The mailcap.py script itself is using "os.system()" witch is vulnerable
for shell injections.
- They should be all replaced with "subprocess.Popen()" or
"subprocess.call()".
+ They should be all replaced with "subprocess.Popen()" or
"subprocess.call()".
c) The "MIMEtype" parameter is missing for test.
- if there is %s in the 'test' entries key we get a "TypeError: cannot
concatenate 'str' and 'list' objects" error.
-Should be like this :
-test = subst( e['test'], MIMEtype, filename, plist)
+ if there is %s in the 'test' entries key we get a "TypeError: cannot
concatenate 'str' and 'list' objects" error.
+ Should be like this :
+ test = subst( e['test'], MIMEtype, filename, plist)
- d) Think about replacing this scrip completely with the "run-mailcap"
+ d) Think about replacing this script completely with the "run-mailcap"
program of the debian project.
-
--
You can find mailcap.py in this locations :
libpython2.7-stdlib: /usr/lib/python2.7/mailcap.py
libpython3.4-stdlib:
[Bug 1509835] Re: Possible Shell Command Injection
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1509835 Title: Possible Shell Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt-offline/+bug/1509835/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1467666] Re: speechd_config executes Shell Commands
Patch ** Patch added: "Patch for /usr/lib/python3/dist-packages/speechd_config/config.py" https://bugs.launchpad.net/ubuntu/+source/speech-dispatcher/+bug/1467666/+attachment/4504591/+files/Patch.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1467666 Title: speechd_config executes Shell Commands To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/speech-dispatcher/+bug/1467666/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1466633] Re: Pluma Plugin "Snippets" Manager - Shell Command Injection
I attached a patch witch solves the problem. I have tested it with gedit 3.10.4 and Ubuntu 15.10 Should be the same in pluma. ** Patch added: "Patch for gedit importer.py" https://bugs.launchpad.net/gedit/+bug/1466633/+attachment/4504703/+files/importer.py_Patch.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1466633 Title: Pluma Plugin "Snippets" Manager - Shell Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/gedit/+bug/1466633/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1509835] [NEW] Possible Shell Command Injection
Public bug reported:
Because of this os.system call in AptOfflineCoreLib.py
x = os.system("%s %s %s %s" % (self.gpgv, self.opts, signature_file,
signed_file) )
the python script is vulnerable to shell command injections in 4 ways.
1. if there is a shell command in the path, for example /tmp/$(xterm)/gpgv/
2. in the "keyring" text
3. in the name of the "signature file"
4. in the name of the "signed_file", for example;xmessage hello;#.gpg
i attached a patch for this
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: apt-offline 1.6.1
ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
Uname: Linux 4.2.0-16-generic x86_64
ApportVersion: 2.19.1-0ubuntu3
Architecture: amd64
CurrentDesktop: XFCE
Date: Sun Oct 25 17:06:11 2015
InstallationDate: Installed on 2015-10-09 (15 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
PackageArchitecture: all
SourcePackage: apt-offline
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: apt-offline (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug patch wily
** Patch added: "Patch for AptOfflineCoreLib.py"
https://bugs.launchpad.net/bugs/1509835/+attachment/4504792/+files/patch.diff
** Attachment removed: "JournalErrors.txt"
https://bugs.launchpad.net/ubuntu/+source/apt-offline/+bug/1509835/+attachment/4504794/+files/JournalErrors.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1509835
Title:
Possible Shell Command Injection
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt-offline/+bug/1509835/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1506823] Re: Shell Command Injection with a picture
Patch to fix the shell command injection pitivi Version 0.94 ** Patch added: "patch for mainwindow.py , pitivi Version 0.94" https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+attachment/4504236/+files/mainwindow.py.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1506823 Title: Shell Command Injection with a picture To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
Better patch attached for the clementine unity scope Python script. 1) I use subprocess.Popen() this time instead of the simple subprocess.call() before. 2) Should now handle albumtracks in a better way because its a list of strings. 3) Clementime gives you now a error message on playing a file when shell commands are in the filename. 4) A Folder Path with Shell Commands in the pathname will not be injected and not opened. ... could someone check it please ? ** Patch added: "Better patch" https://bugs.launchpad.net/ubuntu/+source/unity-scope-clementine/+bug/1483037/+attachment/4503381/+files/patch2.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
I attached a patch for unity_clementine_daemon.py wich should solve the problem using subprocess ** Patch added: "unity_clementine_daemon_patch.diff" https://bugs.launchpad.net/ubuntu/+source/unity-scope-clementine/+bug/1483037/+attachment/4502656/+files/unity_clementine_daemon_patch.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
Workaround ... to make my modified "hostname.sh" script run at startup, i changed the file /etc/rc.local #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. /etc/init.d/hostname.sh start exit 0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
Thats better ... (the "-" was wrong in my previous posting )
HOSTNAME="${HOSTNAME//[^A-Za-z0-9_\-]/x}"
i attached a modified hostname.sh wich uses bash.
it can be startet manualy with
sudo /etc/init.d/hostname.sh start
The command should somehow run at startup ... but does not by default ?
** Attachment added: "hostname.sh"
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4499613/+files/hostname.sh
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command Injection with the hostname
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
Patch :
HOSTNAME=${HOSTNAME//[^A-Za-z0-9-_]/_}
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command Injection with the hostname
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
I agree, i think the hostname should be in the hands of the kernel only. Should not be overwritten by /etc/hostname.sh. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
typo ... the path is /etc/init.d/hostname.sh -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
german demo video https://www.youtube.com/watch?v=qYuVzHsklS8 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1506823] [NEW] Shell Command Injection with a picture
Public bug reported:
mainwindow.py , Line 486
os.system('xdg-open "%s"' % path_from_uri(asset.get_id()))
If you import an image and double click on it to see a preview ,
any shell command in the picture name will be executet.
For example :
1) rename a picture to this name
$(xmessage hello world).png
2) import the picture
3) doubleclick on the picture entry in the media libary.
4) xmessage runs
So, please use subprocess, not os.system
screenshot attached
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: pitivi 0.94-4
ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3
Uname: Linux 4.2.0-15-generic x86_64
ApportVersion: 2.19.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Oct 16 12:16:05 2015
InstallationDate: Installed on 2015-10-09 (6 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: pitivi
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: pitivi (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug wily
** Attachment added: "Screenshot.png"
https://bugs.launchpad.net/bugs/1506823/+attachment/4496768/+files/Screenshot.png
** Attachment removed: "JournalErrors.txt"
https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+attachment/4496770/+files/JournalErrors.txt
** Attachment removed: "Dependencies.txt"
https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+attachment/4496769/+files/Dependencies.txt
** Attachment removed: "ProcEnviron.txt"
https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+attachment/4496771/+files/ProcEnviron.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1506823
Title:
Shell Command Injection with a picture
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
** Attachment removed: "Dependencies.txt" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4497264/+files/Dependencies.txt ** Attachment removed: "JournalErrors.txt" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4497265/+files/JournalErrors.txt ** Attachment removed: "ProcEnviron.txt" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4497266/+files/ProcEnviron.txt ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1460413] Re: Shell Command Injection in logcapture.py
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1460413 Title: Shell Command Injection in logcapture.py To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/hplip/+bug/1460413/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
fix works. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
If the shell command can be injected seems only depend on how the Musikplayers store their data. The Gmusicbrowser Unity Scope seems to be lucky because the gmusicbrowser player changes special chars in the name before it stores it in his database. The Audacious Scope and Clementine Scope are not so lucky. I attached a screenshot where you can see the differences. ** Attachment added: db.png https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+attachment/4454462/+files/db.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
Exploid Demo Video (german) https://www.youtube.com/watch?v=JrP7B6CIOMQ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-gmusicbrowser/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
I attached a Clementine Scope Exploid Screenshot Demo ** Attachment added: exploid scope clementine https://bugs.launchpad.net/ubuntu/+source/unity-scope-gmusicbrowser/+bug/1483037/+attachment/4442436/+files/Clementine%20Scope%20Exploid%20Screenshot.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-gmusicbrowser/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] [NEW] Possible Shell Comand Injection in deamon
Public bug reported:
File :
/usr/share/unity-scopes/gmusicbrowser/unity_gmusicbrowser_daemon.py
Function do_activate is vulnerable to Shell Commands in the filename
of the tracks, the dirname of the album and the albumtracks.
os.system(xdg-open '%s' % str(dirname))
##Example : xterm starts when dirname=/tmp/';xterm;#'.mp3
same Problem here :
os.system('gmusicbrowser -play -playlist %s' % albumtracks)
So ...
Should not use os.system.
Should use subprocess.popen with the parameter Shell=False or should use
quote().
Thank you.
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: unity-scope-gmusicbrowser 0.1+13.10.20130723-0ubuntu1
ProcVersionSignature: Ubuntu 4.1.0-3.3-generic 4.1.3
Uname: Linux 4.1.0-3-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.18-0ubuntu5
Architecture: amd64
CurrentDesktop: Unity
Date: Sun Aug 9 20:29:56 2015
InstallationDate: Installed on 2015-08-09 (0 days ago)
InstallationMedia: Ubuntu 15.10 Wily Werewolf - Alpha amd64 (20150808)
PackageArchitecture: all
SourcePackage: unity-scope-gmusicbrowser
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: unity-scope-gmusicbrowser (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug wily
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1483037
Title:
Possible Shell Comand Injection in deamon
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unity-scope-gmusicbrowser/+bug/1483037/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Comand Injection in deamon
Same issues in : /usr/share/unity-scopes/audacious/unity_audacious_daemon.py /usr/share/unity-scopes/guayadeque/unity_guayadeque_daemon.py /usr/share/unity-scopes/clementine/unity_clementine_daemon.py /usr/share/unity-scopes/musique/unity_musique_daemon.py -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Comand Injection in deamon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-gmusicbrowser/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
** Summary changed: - Possible Shell Comand Injection in deamon + Possible Shell Command Injection in daemon -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-gmusicbrowser/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1467666] Re: speechd_config executes Shell Commands
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1467666 Title: speechd_config executes Shell Commands To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/speech-dispatcher/+bug/1467666/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1466633] Re: Pluma Plugin Snippets Manager - Shell Command Injection
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1466633 Title: Pluma Plugin Snippets Manager - Shell Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pluma/+bug/1466633/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1462470] Re: pydoc.py uses old netscape navigator
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1462470 Title: pydoc.py uses old netscape navigator To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1462470/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1460403] Re: Shell Command Injection in cmyk-tiff-2-cmyk-pdf.py
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1460403 Title: Shell Command Injection in cmyk-tiff-2-cmyk-pdf.py To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp-plugin-registry/+bug/1460403/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1467666] [NEW] speechd_config executes Shell Commands
Public bug reported:
if espeak is installed , some functions in the script
speechd_config.py can be used to execute Shell Commands.
--
Demo Example from the terminal type in :
theregrunner@mint17 : ~ $ python3
Python 3.4.0 (default, Apr 11 2014, 13:05:18)
[GCC 4.8.2] on linux
Type help, copyright, credits or license for more information.
import speechd_config
speechd_config.options.use_espeak_synthesis=True
speechd_config.report('This executes xterm but should not ;xterm;#' )
--
The problem is that the script uses os.system() commands when espeak is
installed
/usr/lib/python3/dist-packages/speechd_config/config.py
line 34 - 39 :
def report(msg):
Output information messages for the user on stdout
and if desired, by espeak synthesis
print(msg)
if options.use_espeak_synthesis:
os.system(espeak \ + msg + \)
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: python3-speechd 0.8-5ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-37.64-generic 3.13.11.7
Uname: Linux 3.13.0-37-generic i686
ApportVersion: 2.14.1-0ubuntu3.11
Architecture: i386
Date: Mon Jun 22 22:23:54 2015
InstallationDate: Installed on 2015-04-19 (64 days ago)
InstallationMedia: Linux Mint 17.1 Rebecca - Release i386 20150108
PackageArchitecture: all
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=set
LANG=de_DE.UTF-8
SHELL=/bin/bash
SourcePackage: speech-dispatcher
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: speech-dispatcher (Ubuntu)
Importance: Undecided
Status: New
** Tags: apport-bug i386 rebecca
** Attachment added: Exploid Screenshot
https://bugs.launchpad.net/bugs/1467666/+attachment/4418906/+files/Screenshot.png
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1467666
Title:
speechd_config executes Shell Commands
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/speech-dispatcher/+bug/1467666/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1466633] Re: Pluma Plugin Snippets Manager - Shell Command Injection
Same problem with gedit 2.30.4 in Linux Mint 17.1 Rebecca Watch my (german) Shell Command Injection Demo Video at Timecode 10:00min https://www.youtube.com/watch?v=abP76r-2js0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1466633 Title: Pluma Plugin Snippets Manager - Shell Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pluma/+bug/1466633/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1466633] [NEW] Pluma Plugin Snippets Manager - Shell Command Injection
Public bug reported:
The Plugin Snippets in Pluma 1.8.1 is vulnerabe to Shell Commands.
If you activate the snippet Plugin , you can use tools - manage
snippets from the main menu of pluma.
Example :
If you import a snippet with the manager wich has a filename like this :
;xterm;#Snippets Archive.tar.gz
the Shell command ;xterm;# will be injected and will execute the
program xterm as a exploid demo.
reason is a bug in the Importer.py Python script :
/usr/lib/x86_64-linux-gnu/pluma/plugins/snippets/Importer.py
https://github.com/mate-desktop/pluma/blob/master/plugins/snippets/snippets/Importer.py
def import_archive(self, cmd):
dirname = tempfile.mkdtemp()
status = os.system('cd %s; %s %s' % (dirname, cmd,
self.filename))
The os.system command puts the filename in %s to a shell and executes it.
The dirname should be checked, too.
So, please do not use os.system in the Importer an Exporter Scripts,
use Subprocess.Popen() with Shell=False
or use quote() to workaround this Bug.
Thanks :-)
---
Remark :
Because of there seems to be an other Bug (1357735) in pluma,
i could not enable the python snippets in Kubuntu 15.04 or Ubuntu-Mate 15.04.
So i attached a screenshot where i reproduced it in an other OS called
HardenedBSD with Mate Desktop.
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: pluma 1.8.1+dfsg1-2
ProcVersionSignature: Ubuntu 3.19.0-21.21-generic 3.19.8
Uname: Linux 3.19.0-21-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: amd64
CurrentDesktop: KDE
Date: Thu Jun 18 21:24:29 2015
InstallationDate: Installed on 2015-05-15 (33 days ago)
InstallationMedia: Kubuntu 15.04 Vivid Vervet - Release amd64 (20150422)
SourcePackage: pluma
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: pluma (Ubuntu)
Importance: Undecided
Status: New
** Tags: pluma snippet
** Attachment added: Screenshot
https://bugs.launchpad.net/bugs/1466633/+attachment/4416901/+files/Pluma%201.8.1%20in%20HardenedBSD%20with%20mate%20Desktop.png
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1466633
Title:
Pluma Plugin Snippets Manager - Shell Command Injection
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pluma/+bug/1466633/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1462470] [NEW] pydoc.py uses old netscape navigator
Public bug reported:
File :
/usr/lib/python2.7/pydoc.py
line : 2216 ... 2226
pydoc.py uses old netscape navigator when the webbrowser module can not
be imported:
And it is vulnerable to shell command injection too,
because it uses os.system() wich allows shell commands in the parameter url.
code :
def open(self, event=None, url=None):
url = url or self.server.url
try:
import webbrowser
webbrowser.open(url)
except ImportError: # pre-webbrowser.py compatibility
if sys.platform == 'win32':
os.system('start %s' % url)
else:
rc = os.system('netscape -remote openURL(%s) ' % url)
if rc: os.system('netscape %s ' % url)
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: libpython2.7-stdlib 2.7.9-2ubuntu3
ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
Uname: Linux 3.16.0-24-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: i386
CurrentDesktop: MATE
Date: Fri Jun 5 19:33:43 2015
InstallationDate: Installed on 2014-11-02 (214 days ago)
InstallationMedia: Ubuntu MATE 14.10 Utopic Unicorn - i386 (20141023)
SourcePackage: python2.7
UpgradeStatus: Upgraded to vivid on 2015-06-05 (0 days ago)
** Affects: python2.7 (Ubuntu)
Importance: Undecided
Status: New
** Tags: apport-bug i386 vivid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1462470
Title:
pydoc.py uses old netscape navigator
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1462470/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
Ok, the parameters are filtered now. I'd still like to see subprocess.Popen() in combination with it's Parameter shell=False in the code. Please, do not use commands.getstatusoutput() , its unsave when there are arguments in the string wich the attacker can reach. Subprocess.Popen() directs the arguments in a better way to the program you want to run , so the args can not execute an other program. https://docs.python.org/2/library/subprocess.html And again, think about quoting if you still want to use commands.getstatusoutput() for some reason. Quoting with shlex.quote(arg) should prevent shell command injection and ... Quoting may also prevent an attacker to disable the firewall if he appends some valid ufw commands, not only shell commands ;-) https://docs.python.org/3/library/shlex.html#shlex.quote Greetings from germany Bernd -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
I was able to use iface to insert a shell command, too. 1.) save a profile wich uses some interface , for example eth0 to your home directory. 2.) edit the file like this iface = eth0;xterm; 3.) rename the profile to some other name than before 4.) import the new profile with Gufw from your home directory 5.) use the new profile 6.) xterm starts boom :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
It was an honor to help you :-) Maybe it would be an good idea to think about 'quoting' each and every parameter before it's passed to command ? https://docs.python.org/3/library/shlex.html#shlex.quote with best reagrds Bernd -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
Interessiting. One thing leads to an other thing :-) If its get's worse you may wan't to think about going back and using subprocess.popen() instead of the old commands.getstatusoutput() This could make the code shorter. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 877631] Re: AssertionError after interruption/restart of backup
i am using deja-dup 20.1-0ubuntu0.2 (oneiric-proposed) to fix the
problem , but the bug is śtill there
i am using ubuntu 11.10 32 bit with german Language (de)
i had used a password for encryption ( letters a-z , 0-9, and special char -
)
i choose to keep the password
i choose to keep the backup one month ( maybe i changed to this while backup
was running )
i interrupted backup
i tried to resume next day
Error Message --
Traceback (most recent call last):
File /usr/bin/duplicity, line 1359, in module
with_tempdir(main)
File /usr/bin/duplicity, line 1342, in with_tempdir
fn()
File /usr/bin/duplicity, line 1222, in main
globals.archive_dir).set_values()
File /usr/lib/python2.7/dist-packages/duplicity/collections.py, line 684,
in set_values
self.get_backup_chains(partials + backend_filename_list)
File /usr/lib/python2.7/dist-packages/duplicity/collections.py, line 807,
in get_backup_chains
map(add_to_sets, filename_list)
File /usr/lib/python2.7/dist-packages/duplicity/collections.py, line 797,
in add_to_sets
if set.add_filename(filename):
File /usr/lib/python2.7/dist-packages/duplicity/collections.py, line 94, in
add_filename
(self.volume_name_dict, filename)
AssertionError: ({1: u'duplicity-full.2007T184703Z.vol1.difftar.gpg', 10:
u'duplicity-full.2007T184703Z.vol10.difftar.gpg', 11:
u'duplicity-full.2007T184703Z.vol11.difftar.gpg', 12:
u'duplicity-full.2007T184703Z.vol12.difftar.gpg', 13:
u'duplicity-full.2007T184703Z.vol13.difftar.gpg', 14:
u'duplicity-full.2007T184703Z.vol14.difftar.gpg', 15:
u'duplicity-full.2007T184703Z.vol15.difftar.gpg', 16:
u'duplicity-full.2007T184703Z.vol16.difftar.gpg', 17:
u'duplicity-full.2007T184703Z.vol17.difftar.gpg', 18:
u'duplicity-full.2007T184703Z.vol18.difftar.gpg', 19:
u'duplicity-full.2007T184703Z.vol19.difftar.gpg', 20:
u'duplicity-full.2007T184703Z.vol20.difftar.gpg', 21:
u'duplicity-full.2007T184703Z.vol21.difftar.gpg', 22:
u'duplicity-full.2007T184703Z.vol22.difftar.gpg', 23:
u'duplicity-full.2007T184703Z.vol23.difftar.gpg'},
u'duplicity-full.2007T184703Z.vol23.difftar.gz')
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/877631
Title:
AssertionError after interruption/restart of backup
To manage notifications about this bug go to:
https://bugs.launchpad.net/deja-dup/+bug/877631/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711561] Re: Compiz won't allow Desktop Cube plugin to load with unity
i got the cube running with wall and unity on the compiz config settings manager (ccsm) disable auto sort plugins add cube and so on manualy the unity plugin has to be more at the end than the cube the wall has to be above the cube start the gnome-panel from a terminal, set 4 Desktops in one row to get a cube. i uploaded my compiz config settings here : http://ubuntuone.com/p/hSx/ and made a Video on YT to show how to set up : http://www.youtube.com/watch?v=pjhFz-wv6Qw hope this helps you -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711561 Title: Compiz won't allow Desktop Cube plugin to load with unity -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 731451] [NEW] audacity not working in Ubuntu 11.04 Alpha3
Public bug reported: Binary package hint: audacity Audacity Version : 1.13.12-14ubuntu1 Ubuntu Version : Ubuntu 11.04 Natty Narwhal Alpha3 , 64bit When Audacity starts the CPU usage raises high, even when not audio file has been opened yet. Then, when you try to open a audio file like a wave file ... nothing happens at all, no wave file shown in audacity. When you press CTRL+N a new Audacity Window opens and then when you try to open the same wave file in this new audacity window you may have luck and it works now. Sometime again nothing happens - and you have to do this a third time to get the file loaded. The very first audacity window is hard to close, you have to do killall audacity in a terminal. Please check if its a audacity problem or has something to do with the new Ubuntu 11.04 (Xorg, X11, python 2.7... ?) Thanks! ProblemType: Bug DistroRelease: Ubuntu 11.04 Package: audacity 1.3.12-14ubuntu1 ProcVersionSignature: Ubuntu 2.6.38-5.32-generic 2.6.38-rc6 Uname: Linux 2.6.38-5-generic x86_64 NonfreeKernelModules: nvidia Architecture: amd64 Date: Tue Mar 8 17:42:35 2011 InstallationMedia: Ubuntu 11.04 Natty Narwhal - Alpha amd64 (20110301.7) ProcEnviron: LANGUAGE=de_DE:en LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: audacity UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: audacity (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug natty running-unity -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/731451 Title: audacity not working in Ubuntu 11.04 Alpha3 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 731451] Re: audacity not working in Ubuntu 11.04 Alpha3
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/731451 Title: audacity not working in Ubuntu 11.04 Alpha3 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
