[Bug 1550653] [NEW] platform.py uses os.popen command

Bernd Dietzel 1550653 at bugs.launchpad.net
Sat Feb 27 06:26:53 UTC 2016 

Public bug reported:

Uses depreached os.popen command. 
Shell Code can be injected, see example below.
Replace it with subprocess please.

file :
/usr/lib/python3.5/platform.py

line 416:
    return os.popen(cmd, mode, bufsize)


Example which starts the program xeyes but should not :

~$ python
Python 2.7.11+ (default, Feb 22 2016, 16:38:42) 
[GCC 5.3.1 20160222] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import platform
>>> filename = 'bad file ;xeyes;# name.png'
>>> platform.popen('ls %s' %filename)

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libpython3.5-minimal 3.5.1-6ubuntu2
ProcVersionSignature: Ubuntu 4.4.0-7.22-generic 4.4.2
Uname: Linux 4.4.0-7-generic x86_64
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Sat Feb 27 07:16:55 2016
InstallationDate: Installed on 2016-02-22 (4 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Alpha amd64 (20160219)
SourcePackage: python3.5
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: python3.5 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug xenial

** Attachment removed: "Dependencies.txt"
   https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1550653/+attachment/4582374/+files/Dependencies.txt

** Attachment removed: "JournalErrors.txt"
   https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1550653/+attachment/4582375/+files/JournalErrors.txt

** Attachment removed: "ProcEnviron.txt"
   https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1550653/+attachment/4582376/+files/ProcEnviron.txt

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python3.5 in Ubuntu.
https://bugs.launchpad.net/bugs/1550653

Title:
  platform.py uses os.popen command

Status in python3.5 package in Ubuntu:
  New

Bug description:
  Uses depreached os.popen command. 
  Shell Code can be injected, see example below.
  Replace it with subprocess please.

  file :
  /usr/lib/python3.5/platform.py

  line 416:
      return os.popen(cmd, mode, bufsize)

  
  Example which starts the program xeyes but should not :

  ~$ python
  Python 2.7.11+ (default, Feb 22 2016, 16:38:42) 
  [GCC 5.3.1 20160222] on linux2
  Type "help", "copyright", "credits" or "license" for more information.
  >>> import platform
  >>> filename = 'bad file ;xeyes;# name.png'
  >>> platform.popen('ls %s' %filename)

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: libpython3.5-minimal 3.5.1-6ubuntu2
  ProcVersionSignature: Ubuntu 4.4.0-7.22-generic 4.4.2
  Uname: Linux 4.4.0-7-generic x86_64
  ApportVersion: 2.20-0ubuntu3
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Sat Feb 27 07:16:55 2016
  InstallationDate: Installed on 2016-02-22 (4 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Alpha amd64 (20160219)
  SourcePackage: python3.5
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1550653/+subscriptions

More information about the foundations-bugs mailing list