*** This bug is a security vulnerability *** Public security bug reported:
File : /usr/lib/python2.7/distutils/command/bdist_rpm.py Line 358 : This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() : out = os.popen(q_cmd) Exploit demo : ============ 1) Download the setup.py script wich i attached 2) Create a test folder an put the setup.py script in this folder 3) cd to the test folder 4) python setup.py bdist_rpm 5) A xmessage window pops up as a proof of concept ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3 Uname: Linux 4.2.0-17-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: Unity Date: Sun Nov 8 13:47:34 2015 InstallationDate: Installed on 2015-10-22 (16 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: python2.7 (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug wily ** Attachment added: "Exploit demo setup.py script with a Shell command in "name"" https://bugs.launchpad.net/bugs/1514183/+attachment/4515059/+files/setup.py ** Summary changed: - distutils : filebdist_rpm.py allows Shell injection in "name" + distutils : file "bdist_rpm.py" allows Shell injection in "name" ** Information type changed from Public to Public Security ** Description changed: File : /usr/lib/python2.7/distutils/command/bdist_rpm.py - Line 358 : - This line in the code uses the depreached os.popen command, should be replaced with supbprocess.Popen() : + Line 358 : + This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() : out = os.popen(q_cmd) Exploit demo : ============ 1) Download the setup.py script wich i attached 2) Create a test folder an put the setup.py script in this folder 3) cd to the test folder 4) python setup.py bdist_rpm 5) A xmessage window pops up as a proof of concept ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3 Uname: Linux 4.2.0-17-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: Unity Date: Sun Nov 8 13:47:34 2015 InstallationDate: Installed on 2015-10-22 (16 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1514183 Title: distutils : file "bdist_rpm.py" allows Shell injection in "name" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs