[Bug 1529857] Re: Possible Shell Code injection when cleaning packages
Matthias Klose
doko at ubuntu.com
Thu Nov 23 13:03:23 UTC 2017
looks like this is a won't fix ...
** Changed in: python2.7 (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1529857
Title:
Possible Shell Code injection when cleaning packages
Status in python2.7 package in Ubuntu:
Won't Fix
Bug description:
pyclean allows to inject shell code when the package filename contains
commands.
Exploit Demo which starts the program xeyes :
$ pyclean -p ";xeyes;.deb"
Reason :
The python scripts in the debpython folder are calling subprocess with shell=True. Should be False.
/usr/share/python/debpython/files.py Line 49:
process = Popen("/usr/bin/dpkg -L %s" % package_name,\
shell=True, stdout=PIPE)
/usr/share/python/debpython/pydist.py Line 157:
process = Popen("/usr/bin/dpkg -S %s" % query, \
shell=True, stdout=PIPE, stderr=PIPE)
/usr/share/python/debpython/tools.py Line 159:
cmd = "readelf -Wd '%s'" % fpath
process = Popen(cmd, stdout=PIPE, shell=True)
/usr/share/python/debpython/namespace.py Line 108:
process = Popen("/usr/bin/dpkg -S %s 2>/dev/null" % \
'.join(removal_candidates), shell=True, stdout=PIPE)
------
Attention : namespace.py may be called when using "apt-get -f remove".
------
This bug was not yet reported to upstream.
Please do that for me. Thank you :-)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1529857/+subscriptions
More information about the foundations-bugs
mailing list