Public bug reported:
Because of this os.system call in AptOfflineCoreLib.py
x = os.system("%s %s %s %s" % (self.gpgv, self.opts, signature_file,
signed_file) )
the python script is vulnerable to shell command injections in 4 ways.
1. if there is a shell command in the path, for example /tmp/$(xterm)/gpgv/
2. in the "keyring" text
3. in the name of the "signature file"
4. in the name of the "signed_file", for example ;xmessage hello;#.gpg
i attached a patch for this
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: apt-offline 1.6.1
ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
Uname: Linux 4.2.0-16-generic x86_64
ApportVersion: 2.19.1-0ubuntu3
Architecture: amd64
CurrentDesktop: XFCE
Date: Sun Oct 25 17:06:11 2015
InstallationDate: Installed on 2015-10-09 (15 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
PackageArchitecture: all
SourcePackage: apt-offline
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: apt-offline (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug patch wily
** Patch added: "Patch for AptOfflineCoreLib.py"
https://bugs.launchpad.net/bugs/1509835/+attachment/4504792/+files/patch.diff
** Attachment removed: "JournalErrors.txt"
https://bugs.launchpad.net/ubuntu/+source/apt-offline/+bug/1509835/+attachment/4504794/+files/JournalErrors.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1509835
Title:
Possible Shell Command Injection
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt-offline/+bug/1509835/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
