← Back to team overview

touch-packages team mailing list archive

[Bug 1514183] [NEW] distutils : file "bdist_rpm.py" allows Shell injection in "name"

 

*** This bug is a security vulnerability ***

Public security bug reported:

File :
/usr/lib/python2.7/distutils/command/bdist_rpm.py

Line 358 :
This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() :

out = os.popen(q_cmd)

Exploit demo :
============
1) Download the setup.py script wich i attached
2) Create a test folder an put the setup.py script in this folder
3) cd  to the test folder
4) python setup.py bdist_rpm
5) A xmessage window pops up as a proof of concept

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: libpython2.7-stdlib 2.7.10-4ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3
Uname: Linux 4.2.0-17-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.19.1-0ubuntu4
Architecture: amd64
CurrentDesktop: Unity
Date: Sun Nov  8 13:47:34 2015
InstallationDate: Installed on 2015-10-22 (16 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
SourcePackage: python2.7
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: python2.7 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug wily

** Attachment added: "Exploit demo setup.py script with a Shell command in "name""
   https://bugs.launchpad.net/bugs/1514183/+attachment/4515059/+files/setup.py

** Summary changed:

- distutils : filebdist_rpm.py allows Shell injection in "name" 
+ distutils : file "bdist_rpm.py"  allows Shell injection in "name"

** Information type changed from Public to Public Security

** Description changed:

  File :
  /usr/lib/python2.7/distutils/command/bdist_rpm.py
  
- Line 358 : 
- This line in the code uses the depreached os.popen command, should be replaced with supbprocess.Popen() :
+ Line 358 :
+ This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() :
  
  out = os.popen(q_cmd)
  
  Exploit demo :
  ============
  1) Download the setup.py script wich i attached
  2) Create a test folder an put the setup.py script in this folder
  3) cd  to the test folder
  4) python setup.py bdist_rpm
  5) A xmessage window pops up as a proof of concept
  
  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: libpython2.7-stdlib 2.7.10-4ubuntu1
  ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3
  Uname: Linux 4.2.0-17-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.19.1-0ubuntu4
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Sun Nov  8 13:47:34 2015
  InstallationDate: Installed on 2015-10-22 (16 days ago)
  InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
  SourcePackage: python2.7
  UpgradeStatus: No upgrade log present (probably fresh install)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1514183

Title:
  distutils : file "bdist_rpm.py"  allows Shell injection in "name"

Status in python2.7 package in Ubuntu:
  New

Bug description:
  File :
  /usr/lib/python2.7/distutils/command/bdist_rpm.py

  Line 358 :
  This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() :

  out = os.popen(q_cmd)

  Exploit demo :
  ============
  1) Download the setup.py script wich i attached
  2) Create a test folder an put the setup.py script in this folder
  3) cd  to the test folder
  4) python setup.py bdist_rpm
  5) A xmessage window pops up as a proof of concept

  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: libpython2.7-stdlib 2.7.10-4ubuntu1
  ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3
  Uname: Linux 4.2.0-17-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.19.1-0ubuntu4
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Sun Nov  8 13:47:34 2015
  InstallationDate: Installed on 2015-10-22 (16 days ago)
  InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
  SourcePackage: python2.7
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183/+subscriptions


Follow ups