touch-packages team mailing list archive

Thread
Date

[Bug 1514183] Re: distutils : file "bdist_rpm.py" allows Shell injection in "name"

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
Date: Thu, 12 Nov 2015 21:00:11 -0000
Reply-to: Bug 1514183 <1514183@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi Bernd - Thanks for the bug report! While I think that this is
something that should be fixed upstream, I don't feel like it is a
security issue.

By running `python setup.py ...`, you're already trusting that setup.py
is not malicious. It could execute xmessage directly.

Do you know if there are any other ways to trigger the problematic
popen() call that doesn't require executing the Python script that has
the malicious program name?

Have you reported this issue to upstream Python?

** Changed in: python2.7 (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1514183

Title:
  distutils : file "bdist_rpm.py"  allows Shell injection in "name"

Status in python2.7 package in Ubuntu:
  Incomplete

Bug description:
  File :
  /usr/lib/python2.7/distutils/command/bdist_rpm.py

  Line 358 :
  This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() :

  out = os.popen(q_cmd)

  Exploit demo :
  ============
  1) Download the setup.py script wich i attached
  2) Create a test folder an put the setup.py script in this folder
  3) cd  to the test folder
  4) python setup.py bdist_rpm
  5) A xmessage window pops up as a proof of concept

  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: libpython2.7-stdlib 2.7.10-4ubuntu1
  ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3
  Uname: Linux 4.2.0-17-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.19.1-0ubuntu4
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Sun Nov  8 13:47:34 2015
  InstallationDate: Installed on 2015-10-22 (16 days ago)
  InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
  SourcePackage: python2.7
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183/+subscriptions

References

[Bug 1514183] [NEW] distutils : file "bdist_rpm.py" allows Shell injection in "name"
From: Bernd Dietzel, 2015-11-08