Shell Command Injection in install.py of the screenlet package
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
screenlets (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
The install.py script allows to inject Shell commands in multiple ways.
When the user installs new screenlets with the "install" button on the gui , the install.py script is executed.
## line 77 ##
os.system('tar %s %s -C %s' % (tar_opts, chr(34)
if filename is for example :
Trash1"
this will execute xterm. ( and maybe as root if screenlet should be installed system-wide)
## line 78-80 ##
for dd in os.listdir(tmpdir):
if str(dd)
os.system('mv ' + tmpdir + ' ' + '/tmp/screenlets/' + dd[:-6])
if an attacker puts any file into the gz packed screenlet wich file name ends with ".theme" for example
;xterm;.theme
this will execute xterm. ( and maybe as root if screenlet should be installed system-wide)
So .... please Check install.py on all "os.system" calls it has in it.
ProblemType: Bug
DistroRelease: Ubuntu 14.10
Package: screenlets 0.1.6-0ubuntu2
ProcVersionSign
Uname: Linux 3.16.0-24-generic i686
NonfreeKernelMo
ApportVersion: 2.14.7-0ubuntu8
Architecture: i386
Date: Thu Jan 15 14:13:16 2015
InstallationDate: Installed on 2014-11-02 (73 days ago)
InstallationMedia: Ubuntu MATE 14.10 "Utopic Unicorn" - i386 (20141023)
PackageArchitec
SourcePackage: screenlets
UpgradeStatus: No upgrade log present (probably fresh install)
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res