mintInstall possible code execution when Website contains Shell Commands
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Linux Mint |
New
|
Undecided
|
Unassigned |
Bug Description
If the Website URL of a package contains shell commands, they possible could be injected and executed by os.system()
Package : mintInstall
Version : 7.6.0
File : /usr/lib/
Line : 1045
os.system("xdg-open " + self.current_
File : /usr/lib/
Line : 418 ... 424
def visit_web(widget, model, username):
if model.selected_
os.system("sudo -u " + username + " /usr/lib/
def visit_website(
if model.selected_
os.system("sudo -u " + username + " /usr/lib/
Please check for all os.system calls and replace them with subprocess.Popen()
Thank you :-)
information type: | Public → Public Security |
By the way ... the file: linuxmint/ mintInstall/ remove. py
/usr/lib/
should be updatet , too.
it uses a funny mix of unsave and Deprecated python modules and a "Shell=True" for subprocess, wich is not necessary.
line 40 : ** unsave, allows shell injection **
os.system(command)
line 41: **Deprecated , allows shell injection ** getoutput( )
commands.
line 57: ** shell should be False , not True **
comnd = Popen(' '.join(cmd), shell=True)
Please update that.
Thanks :-)