[Bug 1529857] Re: Possible Shell Code injection when cleaning packages
Piotr Ożarowski
1529857 at bugs.launchpad.net
Sun Apr 17 20:26:27 UTC 2016
can you give me an example where one can use it to do something bad and
doesn't have access to root already?
"exploit" demo is funny, though :)
Here's another one: `su root -c 'echo foo'` ;)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1529857
Title:
Possible Shell Code injection when cleaning packages
Status in python2.7 package in Ubuntu:
New
Bug description:
pyclean allows to inject shell code when the package filename contains
commands.
Exploit Demo which starts the program xeyes :
$ pyclean -p ";xeyes;.deb"
Reason :
The python scripts in the debpython folder are calling subprocess with shell=True. Should be False.
/usr/share/python/debpython/files.py Line 49:
process = Popen("/usr/bin/dpkg -L %s" % package_name,\
shell=True, stdout=PIPE)
/usr/share/python/debpython/pydist.py Line 157:
process = Popen("/usr/bin/dpkg -S %s" % query, \
shell=True, stdout=PIPE, stderr=PIPE)
/usr/share/python/debpython/tools.py Line 159:
cmd = "readelf -Wd '%s'" % fpath
process = Popen(cmd, stdout=PIPE, shell=True)
/usr/share/python/debpython/namespace.py Line 108:
process = Popen("/usr/bin/dpkg -S %s 2>/dev/null" % \
'.join(removal_candidates), shell=True, stdout=PIPE)
------
Attention : namespace.py may be called when using "apt-get -f remove".
------
This bug was not yet reported to upstream.
Please do that for me. Thank you :-)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1529857/+subscriptions
More information about the foundations-bugs
mailing list