touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #126745
[Bug 1529857] Re: Possible Shell Code injection when cleaning packages
Another nice find Bernd, but package names are restricted to include
only:
lower case letters (a-z), digits (0-9), plus (+) and minus (-) signs,
and periods (.). They must be at least two characters long and must
start with an alphanumeric character.
https://www.debian.org/doc/debian-policy/ch-
controlfields.html#s-f-Source
Therefore I'm thinking this is a simple programming mistake and not a
security bug.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1529857
Title:
Possible Shell Code injection when cleaning packages
Status in python2.7 package in Ubuntu:
New
Bug description:
pyclean allows to inject shell code when the package filename contains
commands.
Exploit Demo which starts the program xeyes :
$ pyclean -p ";xeyes;.deb"
Reason :
The python scripts in the debpython folder are calling subprocess with shell=True. Should be False.
/usr/share/python/debpython/files.py Line 49:
process = Popen("/usr/bin/dpkg -L %s" % package_name,\
shell=True, stdout=PIPE)
/usr/share/python/debpython/pydist.py Line 157:
process = Popen("/usr/bin/dpkg -S %s" % query, \
shell=True, stdout=PIPE, stderr=PIPE)
/usr/share/python/debpython/tools.py Line 159:
cmd = "readelf -Wd '%s'" % fpath
process = Popen(cmd, stdout=PIPE, shell=True)
/usr/share/python/debpython/namespace.py Line 108:
process = Popen("/usr/bin/dpkg -S %s 2>/dev/null" % \
'.join(removal_candidates), shell=True, stdout=PIPE)
------
Attention : namespace.py may be called when using "apt-get -f remove".
------
This bug was not yet reported to upstream.
Please do that for me. Thank you :-)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1529857/+subscriptions
