[Bug 1529857] Re: Possible Shell Code injection when cleaning packages

Seth Arnold 1529857 at bugs.launchpad.net
Wed Jan 6 00:47:48 UTC 2016 

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1529857

Title:
  Possible Shell Code injection when cleaning packages

Status in python2.7 package in Ubuntu:
  New

Bug description:
  pyclean allows to inject shell code when the package filename contains
  commands.

  Exploit Demo which starts the program xeyes :
  $ pyclean -p ";xeyes;.deb"

  Reason :
  The python scripts in the debpython folder are calling subprocess with shell=True.  Should be False.

  /usr/share/python/debpython/files.py      Line 49:
      process = Popen("/usr/bin/dpkg -L %s" % package_name,\
                      shell=True, stdout=PIPE)

  /usr/share/python/debpython/pydist.py    Line 157:
      process = Popen("/usr/bin/dpkg -S %s" % query, \
                      shell=True, stdout=PIPE, stderr=PIPE)

  /usr/share/python/debpython/tools.py      Line  159:
      cmd = "readelf -Wd '%s'" % fpath
      process = Popen(cmd, stdout=PIPE, shell=True)

  /usr/share/python/debpython/namespace.py     Line 108:
          process = Popen("/usr/bin/dpkg -S %s 2>/dev/null" % \
           '.join(removal_candidates), shell=True, stdout=PIPE)

  ------
  Attention : namespace.py may be called when using "apt-get -f remove".
  ------
  This bug was not yet reported to upstream.
  Please do that for me. Thank you :-)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1529857/+subscriptions

More information about the foundations-bugs mailing list