[Bug 1483037] Re: Possible Shell Command Injection in daemon
** Changed in: unity-scope-audacious (Ubuntu) Status: New => Confirmed ** Changed in: unity-scope-clementine (Ubuntu) Status: New => Confirmed ** Changed in: unity-scope-gmusicbrowser (Ubuntu) Status: New => Confirmed ** Changed in: unity-scope-gourmet (Ubuntu) Status: New => Confirmed ** Changed in: unity-scope-guayadeque (Ubuntu) Status: New => Confirmed ** Changed in: unity-scope-musique (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
I haven't tested it but the patch looks like a vast improvement. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
OK, check this new patch for the audacious scope. - No injections - Multiple Tracks - Database issues ** Attachment added: "new audacious patch - multiple tracks + database" https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+attachment/4664912/+files/audacious%20-%20db%20-%20patch.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
Bernd, all those look like different errors. I just meant that the line: "database = open(dbfile, "r")" doesn't have a corresponding line to close the file once it's done. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
@Seth , you Comment 17 : I had a look on audacious the db-file access : for collection in os.listdir(AUDACIOUS_DBFILE): dbfile = '%s/%s' % (AUDACIOUS_DBFILE, collection) database = open(dbfile, "r") database = database.read() if not database.startswith("title:Library"): records = database[14:] records = records.split("uri=") else: records = "" What i can see are some bugs like this : 1) On my PC, the Database entry is not english "title:Library", but in my language "title=Sammlung" , notice it is written with "=" not with ":" 2) So "records = database[14:]" should be somewhat like "records = database[5:]" 3) There is no filter to use files with ".audpl" extension only. 4) There is a "//" in the dbfile Path is it that what you mean ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
New patch for unity_audacious_daemon.py with better handling of multiple tracks ** Attachment added: "audacious patch - multiple tracks" https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+attachment/4663521/+files/audacious-patch%20%20with%20%20multiple%20tracks.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
Hi David - Can you take a look at Seth's feedback in comment 17 and then update your patches accordingly? Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
For a Shotwell Scope SQL injection Demo , i attached a screenshot. Code can be injected with a file name in the function getPhotoForUri. Demonstration: a) rename some picture like this xx " UNION SELECT 1,'2','Hello','World',5,6,7,8,9,10,11,12,'13','14','15',16,17,18,19,20,21,22,23,24,'25',26,27,28,29 -- ".png b) start shotwell and ensure the picture gets into the shotwell database c) close shotwell d) Search for xx in the Unity Dash and click on the picture e) Have look at the picture dimensions and the size. It reads "Hello x World Pixels", size : 5.0b. This is only a harmles demo. Other things may happen like crashes or code execution. ** Attachment added: "unity-scope-shotwell SQL injection Demo" https://bugs.launchpad.net/ubuntu/+source/unity-scope-clementine/+bug/1483037/+attachment/4542841/+files/screenshot.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
@David shotwell , firefoxbookmarks, chromiumbookmarks and zotero scope may be checked for sql injections, too. Example : Some code of the shotwell scope : sql='select * from PhotoTable where filename = \"'+filename+'\"' -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
My new Clementine Patch. I had a look on the other patches to fix the SQL injections. Fixed utf8 decoding to crash with try and except. Hope it works. Please test. ** Attachment added: "clementine patch , Shell Injections + SQL Injections + UTF8 Crash" https://bugs.launchpad.net/ubuntu/+source/unity-scope-clementine/+bug/1483037/+attachment/4537605/+files/diff.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
The clementine patch appears to address the shell injection but does not address UTF-8 crashes nor SQL injections. The gourmet patch appears to address the SQL injection but does not address the predictable /tmp/ filenames, potential cross-site scripting issues due to use of unquoted HTML, and the preview's localisation is still broken. The audacious patch appears to address the shell injection -- but Bernd points out that it may not function if multiple tracks are selected -- and does not address the 'database' file descriptor leak. The gmusicbrowser patch appears to address the shell injection -- but Bernd points out that it may not function if multiple tracks are selected -- and does not address the 'filename' file descriptor leak. The musique patch appears to address both the shell injection and SQL injection issues. It does not address UTF-8 crashes. The guayadeque patch appears to address the shell injection and SQL injections -- but Bernd points out that it may not function if multiple tracks are selected. It does not address UTF-8 crashes. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
** Patch added: "Patch for Guayadeque scope" https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+attachment/4520006/+files/unity-scope-guayadeque.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
** Patch added: "Patch for Musique scope" https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+attachment/4519752/+files/unity-scope-musique.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
@David Did you noticed that the albumtracks are a list and not a simple string ? Have a look on my "Better patch for unity_clementine_daemon.py" on comment #10 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
** Patch added: "Patch for gMusicBrowser" https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+attachment/4519728/+files/unity-scope-gmusicbrowser.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
** Patch added: "Patch for Audacious scope" https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+attachment/4519724/+files/unity-scope-audacious.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
** Patch added: "Patch for Gourmet SQL injection" https://bugs.launchpad.net/ubuntu/+source/unity-scope-gmusicbrowser/+bug/1483037/+attachment/4508319/+files/unity-scope-gourmet.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
Better patch attached for the clementine unity scope Python script. 1) I use subprocess.Popen() this time instead of the simple subprocess.call() before. 2) Should now handle albumtracks in a better way because its a list of strings. 3) Clementime gives you now a error message on playing a file when shell commands are in the filename. 4) A Folder Path with Shell Commands in the pathname will not be injected and not opened. ... could someone check it please ? ** Patch added: "Better patch" https://bugs.launchpad.net/ubuntu/+source/unity-scope-clementine/+bug/1483037/+attachment/4503381/+files/patch2.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
The attachment "unity_clementine_daemon_patch.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
I attached a patch for unity_clementine_daemon.py wich should solve the problem using subprocess ** Patch added: "unity_clementine_daemon_patch.diff" https://bugs.launchpad.net/ubuntu/+source/unity-scope-clementine/+bug/1483037/+attachment/4502656/+files/unity_clementine_daemon_patch.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
All these tools used unsafe APIs and need drastic re-working regardless of specific database mitigations. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
If the shell command can be injected seems only depend on how the Musikplayers store their data. The Gmusicbrowser Unity Scope seems to be lucky because the gmusicbrowser player changes special chars in the name before it stores it in his database. The Audacious Scope and Clementine Scope are not so lucky. I attached a screenshot where you can see the differences. ** Attachment added: "db.png" https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+attachment/4454462/+files/db.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
** Also affects: unity-scope-audacious (Ubuntu) Importance: Undecided Status: New ** Also affects: unity-scope-clementine (Ubuntu) Importance: Undecided Status: New ** Also affects: unity-scope-guayadeque (Ubuntu) Importance: Undecided Status: New ** Also affects: unity-scope-musique (Ubuntu) Importance: Undecided Status: New ** Also affects: unity-scope-gourmet (Ubuntu) Importance: Undecided Status: New ** Branch linked: lp:~davidc3/unity-scope-audacious/1483037 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
Bernd, thank you for this report and excellent demonstrations. More to come later. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-gmusicbrowser/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
Exploid Demo Video (german) https://www.youtube.com/watch?v=JrP7B6CIOMQ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-gmusicbrowser/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
I attached a Clementine Scope Exploid Screenshot Demo ** Attachment added: "exploid scope clementine" https://bugs.launchpad.net/ubuntu/+source/unity-scope-gmusicbrowser/+bug/1483037/+attachment/4442436/+files/Clementine%20Scope%20Exploid%20Screenshot.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-gmusicbrowser/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-gmusicbrowser/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1483037] Re: Possible Shell Command Injection in daemon
** Summary changed: - Possible Shell Comand Injection in deamon + Possible Shell Command Injection in daemon -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-gmusicbrowser/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs