[Bug 1410839] Re: Shell Command injection in ufw_backend.py
** Changed in: gui-ufw (Ubuntu Vivid) Status: Fix Committed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
** Changed in: gui-ufw (Ubuntu) Importance: High => Medium ** Changed in: gui-ufw (Ubuntu Vivid) Importance: High => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
** Tags removed: removal-candidate ** Information type changed from Public to Public Security ** Changed in: gui-ufw (Ubuntu) Importance: Undecided => High ** Changed in: gui-ufw (Ubuntu Vivid) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
** Also affects: gui-ufw (Ubuntu Vivid) Importance: Undecided Status: New ** Changed in: gui-ufw (Ubuntu Vivid) Status: New => Fix Committed ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
fix works. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
Hello Bernd, or anyone else affected, Accepted gui-ufw into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gui- ufw/15.04.4-0ubuntu0.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Also affects: gui-ufw (Ubuntu Trusty) Importance: Undecided Status: New ** No longer affects: gui-ufw (Ubuntu Trusty) ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
This bug was fixed in the package gui-ufw - 15.10.0-0ubuntu1 --- gui-ufw (15.10.0-0ubuntu1) wily; urgency=medium * New upstream release. Upstream changelog: + 15.10.0 - Added miniDLNA profile - Updated languages + 15.04.4 - Fix: Migrate commands to subprocess > Fixing shell injection (LP: #1412554) - Fix: Allow import profile with English language (LP: #1416631) - Removed executable flag in config files (mask 600, not 700) - Updated translations + 15.04.3 - Properly fix: Shell Command Injection (LP: #1410839) + 15.04.2 - Fix: Shell Injection in the IP & Ports values. + 15.04.1 - Fix: Shell Command Injection (LP: #1410839) - Fix: Not allow one interface over the same interface (LP: #1402220) - Fix: Not allow Both Protocol with a range of ports (LP: #1402232) - Updated languages * debin/control: bump Standard-Version to 3.9.6. -- Devid Antonio Filoni Thu, 04 Jun 2015 21:01:39 +0200 ** Changed in: gui-ufw (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1410839] Re: Shell Command injection in ufw_backend.py
Hi Bernd! Yes, you are right. I tried subproccess a few years ago and I found something that was not working in what I need (i don't remember what). But I will try it again :) I will create another bug for that and I will give you a feedback. I can't upload that change because It'll be complicate to asure the current GUI stability and for older versions I have to fix problems but I must not to make improvements. In other way, this bug was epic. I learned a lot about (not web PHP) injection. I want to thank you all the reports, tests and help!!! :) Really thank you!! Best regards!! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
Ok, the parameters are filtered now. I'd still like to see subprocess.Popen() in combination with it's Parameter shell=False in the code. Please, do not use commands.getstatusoutput() , its unsave when there are arguments in the string wich the attacker can reach. Subprocess.Popen() directs the arguments in a better way to the program you want to run , so the args can not execute an other program. https://docs.python.org/2/library/subprocess.html And again, think about "quoting" if you still want to use commands.getstatusoutput() for some reason. Quoting with shlex.quote(arg) should prevent shell command injection and ... Quoting may also prevent an attacker to disable the firewall if he appends some valid ufw commands, not only shell commands ;-) https://docs.python.org/3/library/shlex.html#shlex.quote Greetings from germany Bernd -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
** Changed in: gui-ufw Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
Wow Bernd! :) You're doing a really awesome review!! I'll be in paranoiac mode on and I'll check all the parameters. Please, take a look to the path :) Thanks in advance! ** Attachment removed: "Patchs for Ubuntu 14.04 & 14.10" https://bugs.launchpad.net/gui-ufw/+bug/1410839/+attachment/4300755/+files/patchs.tar.gz ** Attachment added: "patchs.tar.gz" https://bugs.launchpad.net/gui-ufw/+bug/1410839/+attachment/4303305/+files/patchs.tar.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
** Patch removed: "patchs.tar.gz" https://bugs.launchpad.net/gui-ufw/+bug/1410839/+attachment/4301935/+files/patchs.tar.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
** Changed in: gui-ufw Status: Fix Released => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
I was able to use "iface" to insert a shell command, too. 1.) save a profile wich uses some interface , for example "eth0" to your home directory. 2.) edit the file like this iface = eth0;xterm; 3.) rename the profile to some other name than before 4.) import the new profile with Gufw from your home directory 5.) use the new profile 6.) xterm starts boom :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
It was an honor to help you :-) Maybe it would be an good idea to think about 'quoting' each and every parameter before it's passed to command ? https://docs.python.org/3/library/shlex.html#shlex.quote with best reagrds Bernd -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
@Bernd, I owe you a beer ;P I was reviewing the code and I found another shell injection in the IP & Ports :( I'm attaching the patchs for all the affected versions and I'm sending the new version 15.04.2 to the maintainers. Best regards and thanks Bernd! ** Patch removed: "Patchs for Gufw 14.04.2 & 14.10.1" https://bugs.launchpad.net/gui-ufw/+bug/1410839/+attachment/4301088/+files/patchs_14.04.2_and_14.10.1.tar.gz ** Attachment added: "patchs.tar.gz" https://bugs.launchpad.net/gui-ufw/+bug/1410839/+attachment/4301935/+files/patchs.tar.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
** Patch removed: "path_1410839.patch" https://bugs.launchpad.net/gui-ufw/+bug/1410839/+attachment/4300558/+files/path_1410839.patch ** Patch removed: "patch2.patch" https://bugs.launchpad.net/gui-ufw/+bug/1410839/+attachment/4300704/+files/patch2.patch ** Patch removed: "Final patch" https://bugs.launchpad.net/gui-ufw/+bug/1410839/+attachment/4300706/+files/patch_14.10.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
Interessiting. One thing leads to an other thing :-) If its get's worse you may wan't to think about going back and using subprocess.popen() instead of the old commands.getstatusoutput() This could make the code shorter. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
Updated patchs (it crashed with no profiles = first run). ** Attachment added: "Patchs for Gufw 14.04.2 & 14.10.1" https://bugs.launchpad.net/gui-ufw/+bug/1410839/+attachment/4301088/+files/patchs_14.04.2_and_14.10.1.tar.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
@Bernd: All is done :) I sent just now the updated version 15.04.1. I want to thank you the report of an impotant vulnerability like this |o/ Thanks!! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
The attachment "path_1410839.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1410839] Re: Shell Command injection in ufw_backend.py
** Also affects: gui-ufw (Ubuntu) Importance: Undecided Status: New ** Changed in: gui-ufw (Ubuntu) Status: New => Confirmed ** Changed in: gui-ufw Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs