Public bug reported:
File :
/usr/share/unity-scopes/gmusicbrowser/unity_gmusicbrowser_daemon.py
Function " do_activate" is vulnerable to Shell Commands in the filename
of the tracks, the dirname of the album and the albumtracks.
os.system("xdg-open '%s'" % str(dirname))
##Example : xterm starts when dirname="/tmp/';xterm;#'.mp3"
same Problem here :
os.system('gmusicbrowser -play -playlist %s' % albumtracks)
So ...
Should not use os.system.
Should use subprocess.popen with the parameter Shell=False or should use
quote().
Thank you.
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: unity-scope-gmusicbrowser 0.1+13.10.20130723-0ubuntu1
ProcVersionSignature: Ubuntu 4.1.0-3.3-generic 4.1.3
Uname: Linux 4.1.0-3-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.18-0ubuntu5
Architecture: amd64
CurrentDesktop: Unity
Date: Sun Aug 9 20:29:56 2015
InstallationDate: Installed on 2015-08-09 (0 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20150808)
PackageArchitecture: all
SourcePackage: unity-scope-gmusicbrowser
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: unity-scope-gmusicbrowser (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug wily
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1483037
Title:
Possible Shell Comand Injection in deamon
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unity-scope-gmusicbrowser/+bug/1483037/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
