** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to hplip in Ubuntu.
https://bugs.launchpad.net/bugs/1460413
Title:
Shell Command Injection in logcapture.py
Status in hplip package in Ubuntu:
Confirmed
Bug description:
File :
/usr/share/hplip/logcapture.py
is vulnerabe for Shell command injection attacks
for example :
sudo python logcapture.py --user=";xmessage hello #"
This will run the program "xmessage" as root after you have answered the few
questions wich the python script asks.
Reason ist that the whole hplip-data package is full of old "os.system" calls
and some similar shell calls like this here :
for u in USERS:
sts = os.system('cp -f %s/*.log %s/%s 2>/devnull
'%(USERS[u],LOG_FILES,u))
... and some like this ...
utils.run()
.... and some like that ...
os_utils.execute()
... wich calls os.system, too.
Please check the whole python scripts in the hplip-data package for this sort
of calls : os.system , utils.run() , execute()
Replace them with subprocess.Popen() calls.
Thank you :-)
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: hplip-data 3.15.2-0ubuntu4.1
ProcVersionSignature: Ubuntu 3.19.0-18.18-generic 3.19.6
Uname: Linux 3.19.0-18-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: amd64
CupsErrorLog:
CurrentDesktop: KDE
Date: Sun May 31 13:36:45 2015
InstallationDate: Installed on 2015-05-15 (15 days ago)
InstallationMedia: Kubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
Lpstat: device for HP_Deskjet_2540_series:
hp:/usb/Deskjet_2540_series?serial=CN52E5F0W10604
PackageArchitecture: all
Papersize: a4
PpdFiles: Error: command ['fgrep', '-H', '*NickName',
'/etc/cups/ppd/HP_Deskjet_2540_series.ppd'] failed with exit code 2: grep:
/etc/cups/ppd/HP_Deskjet_2540_series.ppd: Permission denied
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.19.0-18-generic
root=UUID=182e9546-7ed3-47f6-8b0d-caffb14cc976 ro quiet splash
SourcePackage: hplip
UdevLog: Error: [Errno 2] Datei oder Verzeichnis nicht gefunden:
'/var/log/udev'
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 11/05/2009
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 080015
dmi.board.name: GeForce 8000 series
dmi.board.version: 1.0
dmi.chassis.type: 3
dmi.modalias:
dmi:bvnAmericanMegatrendsInc.:bvr080015:bd11/05/2009:svn:pnGeForce8000series:pvr1.0:rvn:rnGeForce8000series:rvr1.0:cvn:ct3:cvr:
dmi.product.name: GeForce 8000 series
dmi.product.version: 1.0
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/hplip/+bug/1460413/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
