[Touch-packages] [Bug 1529857] Re: Possible Shell Code injection when cleaning packages
looks like this is a won't fix ... ** Changed in: python2.7 (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1529857 Title: Possible Shell Code injection when cleaning packages Status in python2.7 package in Ubuntu: Won't Fix Bug description: pyclean allows to inject shell code when the package filename contains commands. Exploit Demo which starts the program xeyes : $ pyclean -p ";xeyes;.deb" Reason : The python scripts in the debpython folder are calling subprocess with shell=True. Should be False. /usr/share/python/debpython/files.py Line 49: process = Popen("/usr/bin/dpkg -L %s" % package_name,\ shell=True, stdout=PIPE) /usr/share/python/debpython/pydist.pyLine 157: process = Popen("/usr/bin/dpkg -S %s" % query, \ shell=True, stdout=PIPE, stderr=PIPE) /usr/share/python/debpython/tools.py Line 159: cmd = "readelf -Wd '%s'" % fpath process = Popen(cmd, stdout=PIPE, shell=True) /usr/share/python/debpython/namespace.py Line 108: process = Popen("/usr/bin/dpkg -S %s 2>/dev/null" % \ '.join(removal_candidates), shell=True, stdout=PIPE) -- Attention : namespace.py may be called when using "apt-get -f remove". -- This bug was not yet reported to upstream. Please do that for me. Thank you :-) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1529857/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1529857] Re: Possible Shell Code injection when cleaning packages
can you give me an example where one can use it to do something bad and doesn't have access to root already? "exploit" demo is funny, though :) Here's another one: `su root -c 'echo foo'` ;) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1529857 Title: Possible Shell Code injection when cleaning packages Status in python2.7 package in Ubuntu: New Bug description: pyclean allows to inject shell code when the package filename contains commands. Exploit Demo which starts the program xeyes : $ pyclean -p ";xeyes;.deb" Reason : The python scripts in the debpython folder are calling subprocess with shell=True. Should be False. /usr/share/python/debpython/files.py Line 49: process = Popen("/usr/bin/dpkg -L %s" % package_name,\ shell=True, stdout=PIPE) /usr/share/python/debpython/pydist.pyLine 157: process = Popen("/usr/bin/dpkg -S %s" % query, \ shell=True, stdout=PIPE, stderr=PIPE) /usr/share/python/debpython/tools.py Line 159: cmd = "readelf -Wd '%s'" % fpath process = Popen(cmd, stdout=PIPE, shell=True) /usr/share/python/debpython/namespace.py Line 108: process = Popen("/usr/bin/dpkg -S %s 2>/dev/null" % \ '.join(removal_candidates), shell=True, stdout=PIPE) -- Attention : namespace.py may be called when using "apt-get -f remove". -- This bug was not yet reported to upstream. Please do that for me. Thank you :-) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1529857/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1529857] Re: Possible Shell Code injection when cleaning packages
Another nice find Bernd, but package names are restricted to include only: lower case letters (a-z), digits (0-9), plus (+) and minus (-) signs, and periods (.). They must be at least two characters long and must start with an alphanumeric character. https://www.debian.org/doc/debian-policy/ch- controlfields.html#s-f-Source Therefore I'm thinking this is a simple programming mistake and not a security bug. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1529857 Title: Possible Shell Code injection when cleaning packages Status in python2.7 package in Ubuntu: New Bug description: pyclean allows to inject shell code when the package filename contains commands. Exploit Demo which starts the program xeyes : $ pyclean -p ";xeyes;.deb" Reason : The python scripts in the debpython folder are calling subprocess with shell=True. Should be False. /usr/share/python/debpython/files.py Line 49: process = Popen("/usr/bin/dpkg -L %s" % package_name,\ shell=True, stdout=PIPE) /usr/share/python/debpython/pydist.pyLine 157: process = Popen("/usr/bin/dpkg -S %s" % query, \ shell=True, stdout=PIPE, stderr=PIPE) /usr/share/python/debpython/tools.py Line 159: cmd = "readelf -Wd '%s'" % fpath process = Popen(cmd, stdout=PIPE, shell=True) /usr/share/python/debpython/namespace.py Line 108: process = Popen("/usr/bin/dpkg -S %s 2>/dev/null" % \ '.join(removal_candidates), shell=True, stdout=PIPE) -- Attention : namespace.py may be called when using "apt-get -f remove". -- This bug was not yet reported to upstream. Please do that for me. Thank you :-) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1529857/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1529857] Re: Possible Shell Code injection when cleaning packages
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1529857 Title: Possible Shell Code injection when cleaning packages Status in python2.7 package in Ubuntu: New Bug description: pyclean allows to inject shell code when the package filename contains commands. Exploit Demo which starts the program xeyes : $ pyclean -p ";xeyes;.deb" Reason : The python scripts in the debpython folder are calling subprocess with shell=True. Should be False. /usr/share/python/debpython/files.py Line 49: process = Popen("/usr/bin/dpkg -L %s" % package_name,\ shell=True, stdout=PIPE) /usr/share/python/debpython/pydist.pyLine 157: process = Popen("/usr/bin/dpkg -S %s" % query, \ shell=True, stdout=PIPE, stderr=PIPE) /usr/share/python/debpython/tools.py Line 159: cmd = "readelf -Wd '%s'" % fpath process = Popen(cmd, stdout=PIPE, shell=True) /usr/share/python/debpython/namespace.py Line 108: process = Popen("/usr/bin/dpkg -S %s 2>/dev/null" % \ '.join(removal_candidates), shell=True, stdout=PIPE) -- Attention : namespace.py may be called when using "apt-get -f remove". -- This bug was not yet reported to upstream. Please do that for me. Thank you :-) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1529857/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp