Linux Mint

Cinnamon : Command Injection with a wallpaper picture

Bug #1502424 reported by Bernd Dietzel on 2015-10-03

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Linux Mint	New	Undecided	Unassigned

Bug Description

LinuxMint with Cinnamon Desktop

cs_backgrounds.py , line 385 is vulnerable to shell code injections.

if commands.getoutput("file -bi \"%s\"" % filename).startswith("image/"):
picture_list.append({"filename": filename})

If you change a wallpaper picture name to an other name wich contains a shell command,
the command will run when you try to change the wallpapers in the settings

https://github.com/linuxmint/Cinnamon/issues/4658

Bernd Dietzel (l-ubuntuone1104) on 2015-10-03

information type:

Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.