[Bug 1694007] [NEW] externalcommand.py : Shell injection with a Path name

Bernd Dietzel Sat, 27 May 2017 04:21:08 -0700

Public bug reported:

If inside the path is a shell command, it will be executed.
In this demo the program xeyes will start but should not :


~ $ python
Python 2.7.12 (default, Nov 19 2016, 06:48:10) 
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import bzrlib.externalcommand as E
>>> x=E.ExternalCommand('/tmp/$(xeyes)/test/abc')
>>> y=x.help()
sh: 1: /tmp//test/abc: not found
>>> # xeyes does run now #

Package:
python-bzrlib

File:
/usr/lib/python2.7/dist-packages/bzrlib/externalcommand.py

Line 64:
pipe = os.popen('%s --help' % self.path)

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: python-bzrlib 2.7.0-2ubuntu3
ProcVersionSignature: Ubuntu 4.4.0-66.87-generic 4.4.44
Uname: Linux 4.4.0-66-generic x86_64
NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
ApportVersion: 2.20.1-0ubuntu2.6
Architecture: amd64
CurrentDesktop: X-Cinnamon
Date: Sat May 27 13:00:36 2017
InstallationDate: Installed on 2016-07-31 (300 days ago)
InstallationMedia: Linux Mint 18 "Sarah" - Release amd64 20160628
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: bzr
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: bzr (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug sarah

** Attachment removed: "Dependencies.txt"
   
https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1694007/+attachment/4884525/+files/Dependencies.txt

** Attachment removed: "JournalErrors.txt"
   
https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1694007/+attachment/4884526/+files/JournalErrors.txt

** Attachment removed: "ProcCpuinfoMinimal.txt"
   
https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1694007/+attachment/4884527/+files/ProcCpuinfoMinimal.txt

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1694007

Title:
  externalcommand.py  : Shell injection with a Path name

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1694007/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1694007] [NEW] externalcommand.py : Shell injection with a Path name

Reply via email to