Public bug reported: File : /usr/share/unity-scopes/gmusicbrowser/unity_gmusicbrowser_daemon.py
Function " do_activate" is vulnerable to Shell Commands in the filename of the tracks, the dirname of the album and the albumtracks. os.system("xdg-open '%s'" % str(dirname)) ##Example : xterm starts when dirname="/tmp/';xterm;#'.mp3" same Problem here : os.system('gmusicbrowser -play -playlist %s' % albumtracks) So ... Should not use os.system. Should use subprocess.popen with the parameter Shell=False or should use quote(). Thank you. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: unity-scope-gmusicbrowser 0.1+13.10.20130723-0ubuntu1 ProcVersionSignature: Ubuntu 4.1.0-3.3-generic 4.1.3 Uname: Linux 4.1.0-3-generic x86_64 NonfreeKernelModules: nvidia ApportVersion: 2.18-0ubuntu5 Architecture: amd64 CurrentDesktop: Unity Date: Sun Aug 9 20:29:56 2015 InstallationDate: Installed on 2015-08-09 (0 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20150808) PackageArchitecture: all SourcePackage: unity-scope-gmusicbrowser UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: unity-scope-gmusicbrowser (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug wily -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Comand Injection in deamon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-gmusicbrowser/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs