Public bug reported:
Shell Commands can be injected
when the file ~/.gtk-bookmarks contains for example a path like this :
/temp/$(xeyes)/test/
In the settings of the mate-menu the option to show the gtk-bookmarks in
the places must be checked to make it work.
See attached screenshot.
Reason is this os.system call ...
File : /usr/share/mate-menu/plugins/places.py
os.system("caja \"%s\" &" % path)
... which should be better replaced with subprocess.
Thank you :-)
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: mate-menu 5.7.1-1
ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
Uname: Linux 4.4.0-22-generic i686
ApportVersion: 2.20.1-0ubuntu2
Architecture: i386
CurrentDesktop: MATE
Date: Fri May 27 12:30:35 2016
InstallationDate: Installed on 2016-01-10 (137 days ago)
InstallationMedia: Linux 15.10 - Release i386
PackageArchitecture: all
SourcePackage: mate-menu
UpgradeStatus: Upgraded to xenial on 2016-05-07 (20 days ago)
** Affects: mate-menu (Ubuntu)
Importance: Undecided
Status: New
** Tags: apport-bug i386 xenial
** Attachment added: "Screenshot"
https://bugs.launchpad.net/bugs/1586346/+attachment/4671231/+files/Screenshot%20.png
** Attachment removed: "ProcEnviron.txt"
https://bugs.launchpad.net/ubuntu/+source/mate-menu/+bug/1586346/+attachment/4671234/+files/ProcEnviron.txt
** Attachment removed: "JournalErrors.txt"
https://bugs.launchpad.net/ubuntu/+source/mate-menu/+bug/1586346/+attachment/4671233/+files/JournalErrors.txt
** Attachment removed: "Dependencies.txt"
https://bugs.launchpad.net/ubuntu/+source/mate-menu/+bug/1586346/+attachment/4671232/+files/Dependencies.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1586346
Title:
Shell injection with a GTK-Bookmark
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mate-menu/+bug/1586346/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
