Hi Bernd - Thanks for the bug report! While I think that this is
something that should be fixed upstream, I don't feel like it is a
security issue.
By running `python setup.py ...`, you're already trusting that setup.py
is not malicious. It could execute xmessage directly.
Do you know if there are any other ways to trigger the problematic
popen() call that doesn't require executing the Python script that has
the malicious program name?
Have you reported this issue to upstream Python?
** Changed in: python2.7 (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1514183
Title:
distutils : file "bdist_rpm.py" allows Shell injection in "name"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
