touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #117942
[Bug 1514183] Re: distutils : file "bdist_rpm.py" allows Shell injection in "name"
Reported to Upstream :
http://bugs.python.org/issue25627
** Bug watch added: Python Roundup #25627
http://bugs.python.org/issue25627
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1514183
Title:
distutils : file "bdist_rpm.py" allows Shell injection in "name"
Status in python2.7 package in Ubuntu:
Incomplete
Bug description:
File :
/usr/lib/python2.7/distutils/command/bdist_rpm.py
Line 358 :
This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() :
out = os.popen(q_cmd)
Exploit demo :
============
1) Download the setup.py script wich i attached
2) Create a test folder an put the setup.py script in this folder
3) cd to the test folder
4) python setup.py bdist_rpm
5) A xmessage window pops up as a proof of concept
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: libpython2.7-stdlib 2.7.10-4ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3
Uname: Linux 4.2.0-17-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.19.1-0ubuntu4
Architecture: amd64
CurrentDesktop: Unity
Date: Sun Nov 8 13:47:34 2015
InstallationDate: Installed on 2015-10-22 (16 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
SourcePackage: python2.7
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183/+subscriptions
References