touch-packages team mailing list archive

[Bernd Dietzel <1514183@xxxxxxxxxxxxxxxxxx>]

Reported to Upstream :
http://bugs.python.org/issue25627

** Bug watch added: Python Roundup #25627
   http://bugs.python.org/issue25627

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1514183

Title:
  distutils : file "bdist_rpm.py"  allows Shell injection in "name"

Status in python2.7 package in Ubuntu:
  Incomplete

Bug description:
  File :
  /usr/lib/python2.7/distutils/command/bdist_rpm.py

  Line 358 :
  This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() :

  out = os.popen(q_cmd)

  Exploit demo :
  ============
  1) Download the setup.py script wich i attached
  2) Create a test folder an put the setup.py script in this folder
  3) cd  to the test folder
  4) python setup.py bdist_rpm
  5) A xmessage window pops up as a proof of concept

  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: libpython2.7-stdlib 2.7.10-4ubuntu1
  ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3
  Uname: Linux 4.2.0-17-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.19.1-0ubuntu4
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Sun Nov  8 13:47:34 2015
  InstallationDate: Installed on 2015-10-22 (16 days ago)
  InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
  SourcePackage: python2.7
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183/+subscriptions