dsextras.py : Shell Command Injection with a pkg name

Expoit screenshot attached.

The "dsextras.py" script is vulnerable in multiple functions for code injections in the "name" of a pkg.

The script uses old and depreached python functions wich are a security risk :

commands.getstatusoutput()
os.system()
os.popen()

Please use the subprocess module instead !

Expoit Example wich runs a xmessage command
======================================

theregrunner@1510:~$ cd /usr/lib/python2.7/dist-packages/gtk-2.0/
theregrunner@1510:/usr/lib/python2.7/dist-packages/gtk-2.0$ python
Python 2.7.10 (default, Oct 14 2015, 16:09:02)
[GCC 5.2.1 20151010] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import dsextras
>>> dsextras.pkgc_get_version('fontutil;xmessage "hello bug"')
'1.3.1'

=======================================

This Bug also effects the "so" files in the gtk-2.0 folder :
atk.so
gtkunixprint.so
pangocairo.so
pango.so

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: python-gobject-2 2.28.6-12build1
ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
Uname: Linux 4.2.0-16-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.19.1-0ubuntu4
Architecture: amd64
Date: Fri Nov 6 21:36:38 2015
InstallationDate: Installed on 2015-10-22 (15 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: pygobject-2
UpgradeStatus: No upgrade log present (probably fresh install)