Another nice find Bernd, but package names are restricted to include only: lower case letters (a-z), digits (0-9), plus (+) and minus (-) signs, and periods (.). They must be at least two characters long and must start with an alphanumeric character.
https://www.debian.org/doc/debian-policy/ch- controlfields.html#s-f-Source Therefore I'm thinking this is a simple programming mistake and not a security bug. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1529857 Title: Possible Shell Code injection when cleaning packages Status in python2.7 package in Ubuntu: New Bug description: pyclean allows to inject shell code when the package filename contains commands. Exploit Demo which starts the program xeyes : $ pyclean -p ";xeyes;.deb" Reason : The python scripts in the debpython folder are calling subprocess with shell=True. Should be False. /usr/share/python/debpython/files.py Line 49: process = Popen("/usr/bin/dpkg -L %s" % package_name,\ shell=True, stdout=PIPE) /usr/share/python/debpython/pydist.py Line 157: process = Popen("/usr/bin/dpkg -S %s" % query, \ shell=True, stdout=PIPE, stderr=PIPE) /usr/share/python/debpython/tools.py Line 159: cmd = "readelf -Wd '%s'" % fpath process = Popen(cmd, stdout=PIPE, shell=True) /usr/share/python/debpython/namespace.py Line 108: process = Popen("/usr/bin/dpkg -S %s 2>/dev/null" % \ '.join(removal_candidates), shell=True, stdout=PIPE) ------ Attention : namespace.py may be called when using "apt-get -f remove". ------ This bug was not yet reported to upstream. Please do that for me. Thank you :-) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1529857/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp