[Touch-packages] [Bug 1529857] Re: Possible Shell Code injection when cleaning packages
looks like this is a won't fix ...
** Changed in: python2.7 (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1529857
Title:
Possible Shell Code injection when cleaning packages
Status in python2.7 package in Ubuntu:
Won't Fix
Bug description:
pyclean allows to inject shell code when the package filename contains
commands.
Exploit Demo which starts the program xeyes :
$ pyclean -p ";xeyes;.deb"
Reason :
The python scripts in the debpython folder are calling subprocess with
shell=True. Should be False.
/usr/share/python/debpython/files.py Line 49:
process = Popen("/usr/bin/dpkg -L %s" % package_name,\
shell=True, stdout=PIPE)
/usr/share/python/debpython/pydist.pyLine 157:
process = Popen("/usr/bin/dpkg -S %s" % query, \
shell=True, stdout=PIPE, stderr=PIPE)
/usr/share/python/debpython/tools.py Line 159:
cmd = "readelf -Wd '%s'" % fpath
process = Popen(cmd, stdout=PIPE, shell=True)
/usr/share/python/debpython/namespace.py Line 108:
process = Popen("/usr/bin/dpkg -S %s 2>/dev/null" % \
'.join(removal_candidates), shell=True, stdout=PIPE)
--
Attention : namespace.py may be called when using "apt-get -f remove".
--
This bug was not yet reported to upstream.
Please do that for me. Thank you :-)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1529857/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1529857] Re: Possible Shell Code injection when cleaning packages
can you give me an example where one can use it to do something bad and
doesn't have access to root already?
"exploit" demo is funny, though :)
Here's another one: `su root -c 'echo foo'` ;)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1529857
Title:
Possible Shell Code injection when cleaning packages
Status in python2.7 package in Ubuntu:
New
Bug description:
pyclean allows to inject shell code when the package filename contains
commands.
Exploit Demo which starts the program xeyes :
$ pyclean -p ";xeyes;.deb"
Reason :
The python scripts in the debpython folder are calling subprocess with
shell=True. Should be False.
/usr/share/python/debpython/files.py Line 49:
process = Popen("/usr/bin/dpkg -L %s" % package_name,\
shell=True, stdout=PIPE)
/usr/share/python/debpython/pydist.pyLine 157:
process = Popen("/usr/bin/dpkg -S %s" % query, \
shell=True, stdout=PIPE, stderr=PIPE)
/usr/share/python/debpython/tools.py Line 159:
cmd = "readelf -Wd '%s'" % fpath
process = Popen(cmd, stdout=PIPE, shell=True)
/usr/share/python/debpython/namespace.py Line 108:
process = Popen("/usr/bin/dpkg -S %s 2>/dev/null" % \
'.join(removal_candidates), shell=True, stdout=PIPE)
--
Attention : namespace.py may be called when using "apt-get -f remove".
--
This bug was not yet reported to upstream.
Please do that for me. Thank you :-)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1529857/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1529857] Re: Possible Shell Code injection when cleaning packages
Another nice find Bernd, but package names are restricted to include
only:
lower case letters (a-z), digits (0-9), plus (+) and minus (-) signs,
and periods (.). They must be at least two characters long and must
start with an alphanumeric character.
https://www.debian.org/doc/debian-policy/ch-
controlfields.html#s-f-Source
Therefore I'm thinking this is a simple programming mistake and not a
security bug.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1529857
Title:
Possible Shell Code injection when cleaning packages
Status in python2.7 package in Ubuntu:
New
Bug description:
pyclean allows to inject shell code when the package filename contains
commands.
Exploit Demo which starts the program xeyes :
$ pyclean -p ";xeyes;.deb"
Reason :
The python scripts in the debpython folder are calling subprocess with
shell=True. Should be False.
/usr/share/python/debpython/files.py Line 49:
process = Popen("/usr/bin/dpkg -L %s" % package_name,\
shell=True, stdout=PIPE)
/usr/share/python/debpython/pydist.pyLine 157:
process = Popen("/usr/bin/dpkg -S %s" % query, \
shell=True, stdout=PIPE, stderr=PIPE)
/usr/share/python/debpython/tools.py Line 159:
cmd = "readelf -Wd '%s'" % fpath
process = Popen(cmd, stdout=PIPE, shell=True)
/usr/share/python/debpython/namespace.py Line 108:
process = Popen("/usr/bin/dpkg -S %s 2>/dev/null" % \
'.join(removal_candidates), shell=True, stdout=PIPE)
--
Attention : namespace.py may be called when using "apt-get -f remove".
--
This bug was not yet reported to upstream.
Please do that for me. Thank you :-)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1529857/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1529857] Re: Possible Shell Code injection when cleaning packages
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1529857
Title:
Possible Shell Code injection when cleaning packages
Status in python2.7 package in Ubuntu:
New
Bug description:
pyclean allows to inject shell code when the package filename contains
commands.
Exploit Demo which starts the program xeyes :
$ pyclean -p ";xeyes;.deb"
Reason :
The python scripts in the debpython folder are calling subprocess with
shell=True. Should be False.
/usr/share/python/debpython/files.py Line 49:
process = Popen("/usr/bin/dpkg -L %s" % package_name,\
shell=True, stdout=PIPE)
/usr/share/python/debpython/pydist.pyLine 157:
process = Popen("/usr/bin/dpkg -S %s" % query, \
shell=True, stdout=PIPE, stderr=PIPE)
/usr/share/python/debpython/tools.py Line 159:
cmd = "readelf -Wd '%s'" % fpath
process = Popen(cmd, stdout=PIPE, shell=True)
/usr/share/python/debpython/namespace.py Line 108:
process = Popen("/usr/bin/dpkg -S %s 2>/dev/null" % \
'.join(removal_candidates), shell=True, stdout=PIPE)
--
Attention : namespace.py may be called when using "apt-get -f remove".
--
This bug was not yet reported to upstream.
Please do that for me. Thank you :-)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1529857/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
