gufw-developers team mailing list archive

Thread
Date

[Bug 1410839] Re: Shell Command injection in ufw_backend.py

To: gufw-developers@xxxxxxxxxxxxxxxxxxx
From: costales <1410839@xxxxxxxxxxxxxxxxxx>
Date: Sat, 17 Jan 2015 20:49:44 -0000
Reply-to: Bug 1410839 <1410839@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

@Martin, @devid: Could you upload the patch archive (patchs.tar.gz) to
Ubuntu 14.04 & 14.10?

I'll send a new version tomorrow for Ubuntu 15.04.

Thanks in advance!!!

** Attachment added: "Patchs for Ubuntu 14.04 & 14.10"
   https://bugs.launchpad.net/gui-ufw/+bug/1410839/+attachment/4300755/+files/patchs.tar.gz

** Changed in: gui-ufw
   Importance: High => Critical

-- 
You received this bug notification because you are a member of Gufw
Developers, which is subscribed to Gufw.
https://bugs.launchpad.net/bugs/1410839

Title:
  Shell Command injection in ufw_backend.py

Status in Gufw:
  Fix Committed
Status in gui-ufw package in Ubuntu:
  Confirmed

Bug description:
  Firewall Administrators can be tricked by someone to export a profile
  with Gufw to an special crafted file or path name wich contains shell
  code.

  reason is this line in ufw_backend.py :

  def export_profile(self, profile, file):
      commands.getstatusoutput('cp /etc/gufw/' + profile + '.profile ' + file + ' ; chmod 777 ' + file)

  The rename and delete funktions are also unsave if profile name
  contains shell code, like semicolons.

To manage notifications about this bug go to:
https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions

References

[Bug 1410839] [NEW] Shell Command injection in ufw_backend.py
From: L-ubuntuone1104, 2015-01-14