[Bug 1694007] Re: externalcommand.py : Shell injection with a Path name

Hans Joachim Desserud 1694007 at bugs.launchpad.net
Sun May 28 08:56:34 UTC 2017 

Thanks for taking your time to report this isuse and help making Ubuntu
better.

I was able to reproduce this with bzr 2.7.0+bzr6619-7 on Ubuntu 17.04,
so it is still present in the latest packaged version.

** Also affects: bzr
   Importance: Undecided
       Status: New

** Changed in: bzr (Ubuntu)
       Status: New => Confirmed

** Tags added: artful xenial yakkety zesty

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bzr in Ubuntu.
https://bugs.launchpad.net/bugs/1694007

Title:
  externalcommand.py  : Shell injection with a Path name

Status in Bazaar:
  New
Status in bzr package in Ubuntu:
  Confirmed

Bug description:
  If inside the path is a shell command, it will be executed.
  In this demo the program xeyes will start but should not :

  ~ $ python
  Python 2.7.12 (default, Nov 19 2016, 06:48:10) 
  [GCC 5.4.0 20160609] on linux2
  Type "help", "copyright", "credits" or "license" for more information.
  >>> import bzrlib.externalcommand as E
  >>> x=E.ExternalCommand('/tmp/$(xeyes)/test/abc')
  >>> y=x.help()
  sh: 1: /tmp//test/abc: not found
  >>> # xeyes does run now #

  Package:
  python-bzrlib

  File:
  /usr/lib/python2.7/dist-packages/bzrlib/externalcommand.py

  Line 64:
  pipe = os.popen('%s --help' % self.path)

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: python-bzrlib 2.7.0-2ubuntu3
  ProcVersionSignature: Ubuntu 4.4.0-66.87-generic 4.4.44
  Uname: Linux 4.4.0-66-generic x86_64
  NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
  ApportVersion: 2.20.1-0ubuntu2.6
  Architecture: amd64
  CurrentDesktop: X-Cinnamon
  Date: Sat May 27 13:00:36 2017
  InstallationDate: Installed on 2016-07-31 (300 days ago)
  InstallationMedia: Linux Mint 18 "Sarah" - Release amd64 20160628
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=de_DE.UTF-8
   SHELL=/bin/bash
  SourcePackage: bzr
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/bzr/+bug/1694007/+subscriptions

More information about the foundations-bugs mailing list