desktop-packages team mailing list archive

Thread
Date

[Bug 1460413] Re: Shell Command Injection in logcapture.py

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Bernd Dietzel <1460413@xxxxxxxxxxxxxxxxxx>
Date: Sat, 03 Oct 2015 10:20:19 -0000
Reply-to: Bug 1460413 <1460413@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to hplip in Ubuntu.
https://bugs.launchpad.net/bugs/1460413

Title:
  Shell Command Injection in logcapture.py

Status in hplip package in Ubuntu:
  Confirmed

Bug description:
  File :
  /usr/share/hplip/logcapture.py

  is vulnerabe for Shell command injection attacks

  
  for example :

  
  sudo python logcapture.py --user=";xmessage hello #" 

  
  This will run the program  "xmessage" as root after you have answered the few questions wich the python script asks.

  
  Reason ist that the whole hplip-data package is full of old "os.system" calls and some similar shell calls like this here : 

  for u in USERS:
      sts = os.system('cp -f %s/*.log  %s/%s 2>/devnull '%(USERS[u],LOG_FILES,u))

  ... and some like this ...

  utils.run()

  .... and some like that ...

  os_utils.execute()

  ... wich calls os.system, too.

  
  Please check the whole python scripts in the hplip-data package for this sort of calls : os.system , utils.run() , execute() 

  Replace them with subprocess.Popen() calls.

  Thank you :-)

  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: hplip-data 3.15.2-0ubuntu4.1
  ProcVersionSignature: Ubuntu 3.19.0-18.18-generic 3.19.6
  Uname: Linux 3.19.0-18-generic x86_64
  NonfreeKernelModules: nvidia
  ApportVersion: 2.17.2-0ubuntu1.1
  Architecture: amd64
  CupsErrorLog:
   
  CurrentDesktop: KDE
  Date: Sun May 31 13:36:45 2015
  InstallationDate: Installed on 2015-05-15 (15 days ago)
  InstallationMedia: Kubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
  Lpstat: device for HP_Deskjet_2540_series: hp:/usb/Deskjet_2540_series?serial=CN52E5F0W10604
  PackageArchitecture: all
  Papersize: a4
  PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/HP_Deskjet_2540_series.ppd'] failed with exit code 2: grep: /etc/cups/ppd/HP_Deskjet_2540_series.ppd: Permission denied
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.19.0-18-generic root=UUID=182e9546-7ed3-47f6-8b0d-caffb14cc976 ro quiet splash
  SourcePackage: hplip
  UdevLog: Error: [Errno 2] Datei oder Verzeichnis nicht gefunden: '/var/log/udev'
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 11/05/2009
  dmi.bios.vendor: American Megatrends Inc.
  dmi.bios.version: 080015
  dmi.board.name: GeForce 8000 series
  dmi.board.version: 1.0
  dmi.chassis.type: 3
  dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr080015:bd11/05/2009:svn:pnGeForce8000series:pvr1.0:rvn:rnGeForce8000series:rvr1.0:cvn:ct3:cvr:
  dmi.product.name: GeForce 8000 series
  dmi.product.version: 1.0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/hplip/+bug/1460413/+subscriptions