Ubuntu
python2.7 package

Python ctypes.util , Shell Injection in find_library()

Bug #1512068 reported by Bernd Dietzel
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Python
Fix Released
Unknown
python2.7 (Ubuntu)
Fix Released
High
Unassigned
Xenial
Fix Released
Undecided
Brian Morton

Bug Description

https://github.com/Legrandin/ctypes/issues/1

The find_library() function can execute code when special chars like ;|`<>$ are in the name.
The "os.popen()" calls in the util.py script should be replaced with "subprocess.Popen()".

Demo Exploits for Linux :
====================

>>> from ctypes.util import find_library
>>> find_library(";xeyes") # runs xeyes
>>> find_library("|xterm") # runs terminal
>>> find_library("&gimp") # runs gimp
>>> find_library("$(nautilus)") # runs filemanager
>>> find_library(">test") # creates, and if exists, erases a file "test"

==== Traceback ====

>>> find_library("`xmessage hello`") # shows a message, press ctrl+c for Traceback
^CTraceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library
    return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
  File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc
    trace = f.read()
KeyboardInterrupt

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: libpython2.7-stdlib 2.7.10-4ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
Uname: Linux 4.2.0-16-generic x86_64
ApportVersion: 2.19.1-0ubuntu4
Architecture: amd64
CurrentDesktop: XFCE
Date: Sun Nov 1 10:34:38 2015
InstallationDate: Installed on 2015-10-09 (22 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: python2.7
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

marking as security.

information type: Public → Private Security
Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

My Patch witch works with all python versions of the util.py script.

( because the python2 version in /usr/lib/python2.7/ctypes/util.py has no "import subprocess" at the moment for some reason )

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue.

Please report this issue to the upstream Python developers, and link the upstream bug here. Thanks!

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

reported to upstream.
http://bugs.python.org/issue25751

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

Seens the bug is already known and fixed since 2014 but found not its way to ubuntu repos.
http://bugs.python.org/issue22636

information type: Private Security → Public Security
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Brian Murray (brian-murray)
Changed in python2.7 (Ubuntu):
importance: Undecided → High
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

upstream only fixed this in 3.5 which we do carry, but not other release series.

It's not that "ubuntu diddn't pick up the fix", it's the upstream that didn't apply in all applicable release series.

commented on your bug report.

Bug Watch Updater (bug-watch-updater)
Changed in python:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in python:
status: New → Fix Released
Marc Deslauriers (mdeslaur)
Changed in python2.7 (Ubuntu):
status: New → Confirmed
Brian Morton (rokclimb15)
Changed in python2.7 (Ubuntu):
assignee: nobody → Brian Morton (rokclimb15)
Revision history for this message
Brian Morton (rokclimb15) wrote :

Attached is a debdiff for trusty. If someone could please review and provide feedback, I'll produce additional ones for precise, xenial, yakkety, and zesty

Revision history for this message
Matthias Klose (doko) wrote :

fixed in zesty and newer releases

Changed in python2.7 (Ubuntu):
status: Confirmed → Fix Released
Brian Morton (rokclimb15)
Changed in python2.7 (Ubuntu Xenial):
assignee: nobody → Brian Morton (rokclimb15)
Changed in python2.7 (Ubuntu):
assignee: Brian Morton (rokclimb15) → nobody
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Bernd, or anyone else affected,

Accepted python2.7 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python2.7/2.7.12-1ubuntu0~16.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in python2.7 (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial
Revision history for this message
Matthias Klose (doko) wrote :

exploits don't work anymore in the proposed python2.7 update to xenial.

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python2.7 - 2.7.12-1ubuntu0~16.04.3

---------------
python2.7 (2.7.12-1ubuntu0~16.04.3) xenial-proposed; urgency=medium

  * Some performance improvements: LP: #1638695.
    - Build the _math.o object file without -fPIC for static builds.
  * Rename md5_* functions to _Py_md5_*. Closes: #868366. LP: #1734109.
  * Explicitly use the system python for byte compilation in postinst scripts.
    LP: #1682934.
  * Fix issue #22636: Avoid shell injection problems with
    ctypes.util.find_library(). LP: #1512068.

 -- Matthias Klose <email address hidden> Mon, 04 Dec 2017 15:50:18 +0100

Changed in python2.7 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for python2.7 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.