Ubuntu
hplip package

Shell Command Injection in logcapture.py

Bug #1460413 reported by Bernd Dietzel on 2015-05-31

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	hplip (Ubuntu)	Confirmed	Low	Unassigned

Bug Description

File :
/usr/share/hplip/logcapture.py

is vulnerabe for Shell command injection attacks

for example :

sudo python logcapture.py --user=";xmessage hello #"

This will run the program "xmessage" as root after you have answered the few questions wich the python script asks.

Reason ist that the whole hplip-data package is full of old "os.system" calls and some similar shell calls like this here :

for u in USERS:
sts = os.system('cp -f %s/*.log %s/%s 2>/devnull '%(USERS[u],LOG_FILES,u))

... and some like this ...

utils.run()

.... and some like that ...

os_utils.execute()

... wich calls os.system, too.

Please check the whole python scripts in the hplip-data package for this sort of calls : os.system , utils.run() , execute()

Replace them with subprocess.Popen() calls.

Thank you :-)

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: hplip-data 3.15.2-0ubuntu4.1
ProcVersionSignature: Ubuntu 3.19.0-18.18-generic 3.19.6
Uname: Linux 3.19.0-18-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: amd64
CupsErrorLog:

CurrentDesktop: KDE
Date: Sun May 31 13:36:45 2015
InstallationDate: Installed on 2015-05-15 (15 days ago)
InstallationMedia: Kubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
Lpstat: device for HP_Deskjet_2540_series: hp:/usb/Deskjet_2540_series?serial=CN52E5F0W10604
PackageArchitecture: all
Papersize: a4
PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/HP_Deskjet_2540_series.ppd'] failed with exit code 2: grep: /etc/cups/ppd/HP_Deskjet_2540_series.ppd: Permission denied
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.19.0-18-generic root=UUID=182e9546-7ed3-47f6-8b0d-caffb14cc976 ro quiet splash
SourcePackage: hplip
UdevLog: Error: [Errno 2] Datei oder Verzeichnis nicht gefunden: '/var/log/udev'
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 11/05/2009
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 080015
dmi.board.name: GeForce 8000 series
dmi.board.version: 1.0
dmi.chassis.type: 3
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr080015:bd11/05/2009:svn:pnGeForce8000series:pvr1.0:rvn:rnGeForce8000series:rvr1.0:cvn:ct3:cvr:
dmi.product.name: GeForce 8000 series
dmi.product.version: 1.0

Tags:

Revision history for this message

Bernd Dietzel (l-ubuntuone1104) wrote on 2015-05-31:

CurrentDmesg.txt Edit (60.5 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (182 bytes, text/plain; charset="utf-8")
JournalErrors.txt Edit (42.5 KiB, text/plain; charset="utf-8")
Locale.txt Edit (329 bytes, text/plain; charset="utf-8")
Lspci.txt Edit (14.6 KiB, text/plain; charset="utf-8")
Lsusb.txt Edit (501 bytes, text/plain; charset="utf-8")
PrintingPackages.txt Edit (1.1 KiB, text/plain; charset="utf-8")
ProcCpuinfo.txt Edit (3.7 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (100 bytes, text/plain; charset="utf-8")
ProcInterrupts.txt Edit (2.3 KiB, text/plain; charset="utf-8")
ProcModules.txt Edit (4.5 KiB, text/plain; charset="utf-8")
UdevDb.txt Edit (138.9 KiB, text/plain; charset="utf-8")

Marc Deslauriers (mdeslaur) on 2015-06-19

Changed in hplip (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Low

Bernd Dietzel (l-ubuntuone1104) on 2015-10-03

information type:

Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuhplip package

Shell Command Injection in logcapture.py

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
hplip package