touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #126744
[Bug 1529857] Re: Possible Shell Code injection when cleaning packages
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1529857
Title:
Possible Shell Code injection when cleaning packages
Status in python2.7 package in Ubuntu:
New
Bug description:
pyclean allows to inject shell code when the package filename contains
commands.
Exploit Demo which starts the program xeyes :
$ pyclean -p ";xeyes;.deb"
Reason :
The python scripts in the debpython folder are calling subprocess with shell=True. Should be False.
/usr/share/python/debpython/files.py Line 49:
process = Popen("/usr/bin/dpkg -L %s" % package_name,\
shell=True, stdout=PIPE)
/usr/share/python/debpython/pydist.py Line 157:
process = Popen("/usr/bin/dpkg -S %s" % query, \
shell=True, stdout=PIPE, stderr=PIPE)
/usr/share/python/debpython/tools.py Line 159:
cmd = "readelf -Wd '%s'" % fpath
process = Popen(cmd, stdout=PIPE, shell=True)
/usr/share/python/debpython/namespace.py Line 108:
process = Popen("/usr/bin/dpkg -S %s 2>/dev/null" % \
'.join(removal_candidates), shell=True, stdout=PIPE)
------
Attention : namespace.py may be called when using "apt-get -f remove".
------
This bug was not yet reported to upstream.
Please do that for me. Thank you :-)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1529857/+subscriptions
