As you can see above, help() does not show the help of program abc but
runs a shell command in the middle of the path and the path gets broken.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1694007
Screenshot
** Attachment added: "Screenshot"
https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1694007/+attachment/4884537/+files/screenshot.png
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Public bug reported:
If inside the path is a shell command, it will be executed.
In this demo the program xeyes will start but should not :
~ $ python
Python 2.7.12 (default, Nov 19 2016, 06:48:10)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1586514
Title:
Shell Injection / filename
To manage notifications about this bug
Public bug reported:
File : /usr/share/perl5/dialog.pl
Line 25, 42, 62, 77 :
system("dialog --title \"$title\" --textbox $file $height $width");
The perl script "dialog.pl" uses the system() command.
So shell code in a path and/or file name could be executed.
For Example like in this perl demo
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1513964
Title:
dsextras.py : Shell Command Injection with a pkg name
To manage
** Attachment added: "recent.py has the same problem / Screenshot"
https://bugs.launchpad.net/ubuntu/+source/mate-menu/+bug/1586346/+attachment/4671530/+files/Screenshot%20recent.py%20%20bug.png
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
...and Remove this os.system calls, too please :-)
/usr/share/mate-menu/plugins/recent.py:189:
x = os.system("gvfs-open \""+filename+"\"")
/usr/share/mate-menu/plugins/applications.py:991:
os.system("rm \"%s\" &" % desktopEntry.desktopFile)
Public bug reported:
Shell Commands can be injected
when the file ~/.gtk-bookmarks contains for example a path like this :
/temp/$(xeyes)/test/
In the settings of the mate-menu the option to show the gtk-bookmarks in
the places must be checked to make it work.
See attached screenshot.
Reason
OK, check this new patch for the audacious scope.
- No injections
- Multiple Tracks
- Database issues
** Attachment added: "new audacious patch - multiple tracks + database"
@Seth , you Comment 17 :
I had a look on audacious the db-file access :
for collection in os.listdir(AUDACIOUS_DBFILE):
dbfile = '%s/%s' % (AUDACIOUS_DBFILE, collection)
database = open(dbfile, "r")
database = database.read()
if not
New patch for unity_audacious_daemon.py
with better handling of multiple tracks
** Attachment added: "audacious patch - multiple tracks"
** Attachment removed: "WifiSyslog.txt"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+attachment/4582509/+files/WifiSyslog.txt
** Attachment removed: "UdevDb.txt"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1550676/+attachment/4582508/+files/UdevDb.txt
**
Public bug reported:
Uses depreached os.popen command.
Shell Code can be injected, see example below.
Replace it with subprocess please.
file :
/usr/lib/python3.5/platform.py
line 416:
return os.popen(cmd, mode, bufsize)
Example which starts the program xeyes but should not :
~$ python
Public bug reported:
line 360-361 :
cmd = 'dconf load /org/mate/panel/ < /usr/share/mate-panel/layouts/' +
new_layout + '.panel'
os.system(cmd)
If the file name of a layout contains shell commands, they may be executed by
os.system.
Replace os.system with subprocess please.
Thank you :-)
**
For a Shotwell Scope SQL injection Demo , i attached a screenshot.
Code can be injected with a file name in the function getPhotoForUri.
Demonstration:
a) rename some picture like this
xx
" UNION SELECT
public in upstream
https://bugzilla.samba.org/show_bug.cgi?id=11601#c7
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
public in upstream
https://bugzilla.samba.org/show_bug.cgi?id=11601#c7
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1514046
@David
shotwell , firefoxbookmarks, chromiumbookmarks and zotero scope may be checked
for sql injections, too.
Example : Some code of the shotwell scope :
sql='select * from PhotoTable where filename = \"'+filename+'\"'
--
You received this bug notification because you are a member of Ubuntu
My new Clementine Patch.
I had a look on the other patches to fix the SQL injections.
Fixed utf8 decoding to crash with try and except.
Hope it works. Please test.
** Attachment added: "clementine patch , Shell Injections + SQL Injections +
UTF8 Crash"
Seens the bug is already known and fixed since 2014 but found not its way to
ubuntu repos.
http://bugs.python.org/issue22636
** Information type changed from Private Security to Public Security
** Bug watch added: Python Roundup #22636
http://bugs.python.org/issue22636
--
You received
@Marc
Yes , if some application has a bug , for example MintNanny :
https://bugs.launchpad.net/linuxmint/+bug/1460835
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command
@David
Did you noticed that the albumtracks are a list and not a simple string ?
Have a look on my "Better patch for unity_clementine_daemon.py" on comment #10
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Reported to Upstream :
http://bugs.python.org/issue25627
** Bug watch added: Python Roundup #25627
http://bugs.python.org/issue25627
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1514183
Title:
Hello Tyler,
i only used the setup script because the distutils.core.setup() function takes
such a large number of arguments, so its more easy to read than in one single
line of code.
No, i haven't reported this issue to upstream.
--
You received this bug notification because you are a
*** This bug is a security vulnerability ***
Public security bug reported:
File :
/usr/lib/python2.7/distutils/command/bdist_rpm.py
Line 358 :
This line in the code uses the depreached os.popen command, should be replaced
with subprocess.Popen() :
out = os.popen(q_cmd)
Exploit demo :
Public bug reported:
https://github.com/Legrandin/ctypes/issues/1
The find_library() function can execute code when special chars like ;|`<>$ are
in the name.
The "os.popen()" calls in the util.py script should be replaced with
"subprocess.Popen()".
Demo Exploits for Linux :
my demo exploit video (german)
https://www.youtube.com/watch?v=QGAjwKF5d3w
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1509835
Title:
Possible Shell Command Injection
To manage notifications
My improved Patch Nr. 2
** Patch added: "This patch can split the opts string and has a stdout and a
stderr"
https://bugs.launchpad.net/ubuntu/+source/apt-offline/+bug/1509835/+attachment/4509935/+files/Patch2.diff
--
You received this bug notification because you are a member of Ubuntu
#! /bin/sh
# run this as root early in the boot order. No other script like hostname.sh
should run later
HOSTNAME="$(hostname|sed 's/[^A-Za-z0-9_\-\.]/x/g')";hostname "$HOSTNAME"
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
script
** Attachment added: "changehostname.sh"
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4510099/+files/changehostname.sh
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
My patch was accepted by Mr. Sarraf and fixed in apt-offline upstream repo.
https://github.com/rickysarraf/apt-offline/blob/master/apt_offline_core/AptOfflineCoreLib.py
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I have reported it to upstream :
http://bugs.python.org/issue24778
I have uploaded my patches to upstream:
http://bugs.python.org/file40897/mailcap%20patch.zip
** Bug watch added: Python Roundup #24778
http://bugs.python.org/issue24778
--
You received this bug notification because you are a
I fixed a typo and make code shorter.
New patch attached.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1510317
Title:
Shell Command Injection in "Mailcap" file handling
To manage notifications
** Patch added: "Patch for mailcap.py (pyhon 2.7)"
https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+attachment/4507759/+files/PatchForMailCap.diff
** Attachment removed: "mailcap.py without shell injections"
My "Idea" for a quick bugfix :
Inside the mailcap.py script,
we copy the file to temp and give the file an random name like this ...
/temp/.tmp
... and then resulting with the random name instead of the original name.
--
You received this bug notification because you are a member of Ubuntu
My patch.
1) I removed the os.system() calls and append a new function "run" witch
uses subprocess.
2) "Subst" function now uses quote() and is returning a list, not a
string. So it can be passed to subprocess.
3) If you do not want to get back a command "string" but a command
[list] , you can
*** This bug is a security vulnerability ***
Public security bug reported:
https://docs.python.org/2/library/mailcap.html
mailcap.findmatch(caps, MIMEtype[, key[, filename[, plist]]])
Return a 2-tuple; the first element is a string containing the command line to
be executed (which can be passed
** Description changed:
https://docs.python.org/2/library/mailcap.html
mailcap.findmatch(caps, MIMEtype[, key[, filename[, plist]]])
Return a 2-tuple; the first element is a string containing the command line
to be executed (which can be passed to os.system()), ...
Security Bug in
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1509835
Title:
Possible Shell Command Injection
To manage notifications about this bug go
Patch
** Patch added: "Patch for
/usr/lib/python3/dist-packages/speechd_config/config.py"
https://bugs.launchpad.net/ubuntu/+source/speech-dispatcher/+bug/1467666/+attachment/4504591/+files/Patch.diff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
I attached a patch witch solves the problem.
I have tested it with gedit 3.10.4 and Ubuntu 15.10
Should be the same in pluma.
** Patch added: "Patch for gedit importer.py"
https://bugs.launchpad.net/gedit/+bug/1466633/+attachment/4504703/+files/importer.py_Patch.diff
--
You received this
Public bug reported:
Because of this os.system call in AptOfflineCoreLib.py
x = os.system("%s %s %s %s" % (self.gpgv, self.opts, signature_file,
signed_file) )
the python script is vulnerable to shell command injections in 4 ways.
1. if there is a shell command in the path, for example
Patch to fix the shell command injection
pitivi Version 0.94
** Patch added: "patch for mainwindow.py , pitivi Version 0.94"
https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+attachment/4504236/+files/mainwindow.py.diff
--
You received this bug notification because you are a
Better patch attached for the clementine unity scope Python script.
1) I use subprocess.Popen() this time instead of the simple subprocess.call()
before.
2) Should now handle albumtracks in a better way because its a list of strings.
3) Clementime gives you now a error message on playing a
I attached a patch for unity_clementine_daemon.py wich should solve the
problem using subprocess
** Patch added: "unity_clementine_daemon_patch.diff"
https://bugs.launchpad.net/ubuntu/+source/unity-scope-clementine/+bug/1483037/+attachment/4502656/+files/unity_clementine_daemon_patch.diff
--
Workaround ...
to make my modified "hostname.sh" script run at startup, i changed the file
/etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order
Thats better ... (the "-" was wrong in my previous posting )
HOSTNAME="${HOSTNAME//[^A-Za-z0-9_\-]/x}"
i attached a modified hostname.sh wich uses bash.
it can be startet manualy with
sudo /etc/init.d/hostname.sh start
The command should somehow run at startup ... but does not by default ?
Patch :
HOSTNAME=${HOSTNAME//[^A-Za-z0-9-_]/_}
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command Injection with the hostname
To manage notifications about this bug go to:
I agree,
i think the hostname should be in the hands of the kernel only.
Should not be overwritten by /etc/hostname.sh.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command
typo ... the path is
/etc/init.d/hostname.sh
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command Injection with the hostname
To manage notifications about this bug go to:
german demo video
https://www.youtube.com/watch?v=qYuVzHsklS8
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command Injection with the hostname
To manage notifications about
Public bug reported:
mainwindow.py , Line 486
os.system('xdg-open "%s"' % path_from_uri(asset.get_id()))
If you import an image and double click on it to see a preview ,
any shell command in the picture name will be executet.
For example :
1) rename a picture to this name
$(xmessage hello
** Attachment removed: "Dependencies.txt"
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4497264/+files/Dependencies.txt
** Attachment removed: "JournalErrors.txt"
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1460413
Title:
Shell Command Injection in logcapture.py
To manage notifications
fix works.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1410839
Title:
Shell Command injection in ufw_backend.py
To manage notifications about this bug go to:
If the shell command can be injected seems only depend on how the
Musikplayers store their data.
The Gmusicbrowser Unity Scope seems to be lucky because the
gmusicbrowser player changes special chars in the name before it stores
it in his database.
The Audacious Scope and Clementine Scope are
Exploid Demo Video (german)
https://www.youtube.com/watch?v=JrP7B6CIOMQ
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1483037
Title:
Possible Shell Command Injection in daemon
To manage
I attached a Clementine Scope Exploid Screenshot Demo
** Attachment added: exploid scope clementine
https://bugs.launchpad.net/ubuntu/+source/unity-scope-gmusicbrowser/+bug/1483037/+attachment/4442436/+files/Clementine%20Scope%20Exploid%20Screenshot.png
--
You received this bug
Public bug reported:
File :
/usr/share/unity-scopes/gmusicbrowser/unity_gmusicbrowser_daemon.py
Function do_activate is vulnerable to Shell Commands in the filename
of the tracks, the dirname of the album and the albumtracks.
os.system(xdg-open '%s' % str(dirname))
##Example : xterm starts
Same issues in :
/usr/share/unity-scopes/audacious/unity_audacious_daemon.py
/usr/share/unity-scopes/guayadeque/unity_guayadeque_daemon.py
/usr/share/unity-scopes/clementine/unity_clementine_daemon.py
/usr/share/unity-scopes/musique/unity_musique_daemon.py
--
You received this bug notification
** Summary changed:
- Possible Shell Comand Injection in deamon
+ Possible Shell Command Injection in daemon
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1483037
Title:
Possible Shell Command
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1467666
Title:
speechd_config executes Shell Commands
To manage notifications about this
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1466633
Title:
Pluma Plugin Snippets Manager - Shell Command Injection
To manage
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1462470
Title:
pydoc.py uses old netscape navigator
To manage notifications about this bug
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1460403
Title:
Shell Command Injection in cmyk-tiff-2-cmyk-pdf.py
To manage notifications
Public bug reported:
if espeak is installed , some functions in the script
speechd_config.py can be used to execute Shell Commands.
--
Demo Example from the terminal type in :
theregrunner@mint17 : ~ $ python3
Python 3.4.0 (default, Apr 11 2014, 13:05:18)
[GCC 4.8.2] on linux
Type help,
Same problem with gedit 2.30.4 in Linux Mint 17.1 Rebecca
Watch my (german) Shell Command Injection Demo Video at Timecode
10:00min
https://www.youtube.com/watch?v=abP76r-2js0
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Public bug reported:
The Plugin Snippets in Pluma 1.8.1 is vulnerabe to Shell Commands.
If you activate the snippet Plugin , you can use tools - manage
snippets from the main menu of pluma.
Example :
If you import a snippet with the manager wich has a filename like this :
Public bug reported:
File :
/usr/lib/python2.7/pydoc.py
line : 2216 ... 2226
pydoc.py uses old netscape navigator when the webbrowser module can not
be imported:
And it is vulnerable to shell command injection too,
because it uses os.system() wich allows shell commands in the parameter url.
Ok, the parameters are filtered now.
I'd still like to see subprocess.Popen() in combination with it's Parameter
shell=False in the code.
Please, do not use commands.getstatusoutput() , its unsave when there are
arguments in the string wich the attacker can reach.
Subprocess.Popen() directs the
I was able to use iface to insert a shell command, too.
1.) save a profile wich uses some interface , for example eth0 to your home
directory.
2.) edit the file like this
iface = eth0;xterm;
3.) rename the profile to some other name than before
4.) import the new profile with Gufw from your
It was an honor to help you :-)
Maybe it would be an good idea to think about 'quoting' each and every
parameter before it's passed to command ?
https://docs.python.org/3/library/shlex.html#shlex.quote
with best reagrds
Bernd
--
You received this bug notification because you are a member of
Interessiting. One thing leads to an other thing :-)
If its get's worse you may wan't to think about going back and using
subprocess.popen() instead of the old commands.getstatusoutput()
This could make the code shorter.
--
You received this bug notification because you are a member of Ubuntu
i am using deja-dup 20.1-0ubuntu0.2 (oneiric-proposed) to fix the
problem , but the bug is śtill there
i am using ubuntu 11.10 32 bit with german Language (de)
i had used a password for encryption ( letters a-z , 0-9, and special char -
)
i choose to keep the password
i choose to keep the
i got the cube running with wall and unity
on the compiz config settings manager (ccsm) disable auto sort plugins
add cube and so on manualy
the unity plugin has to be more at the end than the cube
the wall has to be above the cube
start the gnome-panel from a terminal, set 4 Desktops in one row
Public bug reported:
Binary package hint: audacity
Audacity Version : 1.13.12-14ubuntu1
Ubuntu Version : Ubuntu 11.04 Natty Narwhal Alpha3 , 64bit
When Audacity starts the CPU usage raises high, even when not audio file
has been opened yet.
Then, when you try to open a audio file like a wave
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/731451
Title:
audacity not working in Ubuntu 11.04 Alpha3
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
78 matches
Mail list logo
