Ubuntu
screenlets package

Shell Command Injection in install.py of the screenlet package

Bug #1411244 reported by Bernd Dietzel
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
screenlets (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

The install.py script allows to inject Shell commands in multiple ways.
When the user installs new screenlets with the "install" button on the gui , the install.py script is executed.

## line 77 ##

os.system('tar %s %s -C %s' % (tar_opts, chr(34)+filename+chr(34), tmpdir))

if filename is for example :

Trash1";xterm;#.tar.gz

this will execute xterm. ( and maybe as root if screenlet should be installed system-wide)

## line 78-80 ##

for dd in os.listdir(tmpdir):
 if str(dd).endswith('.theme'):
  os.system('mv ' + tmpdir + ' ' + '/tmp/screenlets/' + dd[:-6])

if an attacker puts any file into the gz packed screenlet wich file name ends with ".theme" for example

 ;xterm;.theme

 this will execute xterm. ( and maybe as root if screenlet should be installed system-wide)

So .... please Check install.py on all "os.system" calls it has in it.

ProblemType: Bug
DistroRelease: Ubuntu 14.10
Package: screenlets 0.1.6-0ubuntu2
ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
Uname: Linux 3.16.0-24-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.14.7-0ubuntu8
Architecture: i386
Date: Thu Jan 15 14:13:16 2015
InstallationDate: Installed on 2014-11-02 (73 days ago)
InstallationMedia: Ubuntu MATE 14.10 "Utopic Unicorn" - i386 (20141023)
PackageArchitecture: all
SourcePackage: screenlets
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in screenlets (Ubuntu):
status: New → Incomplete
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for screenlets (Ubuntu) because there has been no activity for 60 days.]

Changed in screenlets (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.