touch-packages team mailing list archive

Thread
Date

[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Dimitri John Ledkov <launchpad@xxxxxxxxxxxx>
Date: Tue, 01 Dec 2015 01:11:09 -0000
Reply-to: Bug 1512068 <1512068@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

upstream only fixed this in 3.5 which we do carry, but not other release
series.

It's not that "ubuntu diddn't pick up the fix", it's the upstream that
didn't apply in all applicable release series.

commented on your bug report.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1512068

Title:
  Python ctypes.util , Shell Injection in find_library()

Status in python2.7 package in Ubuntu:
  New

Bug description:
  https://github.com/Legrandin/ctypes/issues/1

  The find_library() function can execute code when special chars like ;|`<>$ are in the name.
  The "os.popen()" calls in the util.py script should be replaced with "subprocess.Popen()".

  Demo Exploits for Linux :
  ====================

  >>> from ctypes.util import find_library
  >>> find_library(";xeyes")                    # runs  xeyes 
  >>> find_library("|xterm")                    # runs terminal
  >>> find_library("&gimp")                    # runs gimp
  >>> find_library("$(nautilus)")              # runs filemanager
  >>> find_library(">test")                       # creates, and if exists, erases a file "test"

  ==== Traceback ====

  >>> find_library("`xmessage hello`")    # shows a message, press ctrl+c for Traceback
  ^CTraceback (most recent call last):
    File "<stdin>", line 1, in <module>
    File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library
      return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
    File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc
      trace = f.read()
  KeyboardInterrupt

  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: libpython2.7-stdlib 2.7.10-4ubuntu1
  ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
  Uname: Linux 4.2.0-16-generic x86_64
  ApportVersion: 2.19.1-0ubuntu4
  Architecture: amd64
  CurrentDesktop: XFCE
  Date: Sun Nov  1 10:34:38 2015
  InstallationDate: Installed on 2015-10-09 (22 days ago)
  InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
  SourcePackage: python2.7
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+subscriptions

References

[Bug 1512068] [NEW] Python ctypes.util , Shell Injection in find_library()
From: Bernd Dietzel, 2015-11-01