gufw-developers team mailing list archive
-
gufw-developers team
-
Mailing list archive
-
Message #01936
[Bug 1410839] [gui-ufw/vivid] verification still needed
The fix for this bug has been awaiting testing feedback in the -proposed
repository for vivid for more than 90 days. Please test this fix and
update the bug appropriately with the results. In the event that the
fix for this bug is still not verified 15 days from now, the package
will be removed from the -proposed repository.
** Tags added: removal-candidate
--
You received this bug notification because you are a member of Gufw
Developers, which is subscribed to Gufw.
https://bugs.launchpad.net/bugs/1410839
Title:
Shell Command injection in ufw_backend.py
Status in Gufw:
Fix Released
Status in gui-ufw package in Ubuntu:
Fix Released
Bug description:
Firewall Administrators can be tricked by someone to export a profile
with Gufw to an special crafted file or path name wich contains shell
code.
reason is this line in ufw_backend.py :
def export_profile(self, profile, file):
commands.getstatusoutput('cp /etc/gufw/' + profile + '.profile ' + file + ' ; chmod 777 ' + file)
The rename and delete funktions are also unsave if profile name
contains shell code, like semicolons.
To manage notifications about this bug go to:
https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions
References