LinuxMint uses insecure and depreached python commands in allmost all of his scripts.
For example :
1) os.system() calls which allow shell injections
2) commands module calls which allows shell command injections
3) Popen calls which may allow shell code injections
Find a list of exploit demos in my launchpad bug report list.
https://bugs.launchpad.net/~l-ubuntuone1104/+bugs
Because it is not possible for me to write a bug report and exploit demo for each and every injection ,
I would like to suggest linuxmint to check all of his scripts critical.
Here are only a few (impossible to post them all) examples they should have a look on.
1) os.system() calls which allow shell injections
/usr/lib/linuxmint/mintNanny/mintNanny.py:66: os.system("echo \"" + domain + "\" >> /etc/hosts")
/usr/lib/linuxmint/mintNanny/mintNanny.py:73: os.system("sed '/" + domain + "/ d' /etc/hosts > /tmp/hosts.mintNanny")
/usr/lib/linuxmint/mintDrivers/mintDrivers.py:99: os.system("sudo apt-cdrom -d \"%s\" -m add" % mount_point)
/usr/lib/linuxmint/mintBackup/mintBackup.py:1465: os.system("chmod a+rw " + os.path.join(self.package_dest, filename))
/usr/lib/linuxmint/mintInstall/mintInstall.py:387: os.system("sudo -u " + username + " /usr/lib/linuxmint/common/launch_browser_as.py \"" + link + "\"")
/usr/lib/linuxmint/mintInstall/mintInstall.py:390: os.system("/usr/bin/mint-search-apt " + textfield.get_text() + " &")
/usr/lib/linuxmint/mintInstall/mintinstall.py:1045: os.system("xdg-open " + self.current_package.pkg.candidate.homepage + " &")
/usr/lib/linuxmint/mintUpdate/mintUpdate.py:462: os.system(command)
/usr/lib/linuxmint/mintUpdate/mintUpdate.py:1999: os.system("echo \"%s\" >> %s/mintupdate.ignored" % (pkg, CONFIG_DIR))
/usr/lib/linuxmint/mintUpdate/rel_upgrade.py:237: os.system("gsettings set %s false" % screensaver_setting)
/usr/lib/linuxmint/common/launch_browser_as.py:16:os.system(browser + " &")
/usr/lib/linuxmint/common/mint-remove-application.py:62: os.system("rm -f '%s'" % self.desktopFile)
/usr/lib/linuxmint/mintWelcome/mintWelcome.py:219: os.system("xdg-open apt://%s?refresh=yes &" % self.codec_pkg_name)
/usr/lib/linuxmint/mintUpload/mintUploadCore.py:313: os.system("mkdir -p " + path)
/usr/lib/linuxmint/mintUpload/mintUploadCore.py:365: os.system("mv '" + self.filename + "' '" + newname + "'")
/usr/lib/linuxmint/mintUpload/mintUpload.py:30: os.system("notify-send \"" + _("Upload Manager") + "\" \"" + message + "\" -i /usr/lib/linuxmint/mintUpload/icon.svg -t " + str(timeout))
/usr/lib/linuxmint/mintUpload/mintUpload.py:229: os.system("notify-send \"" + _("Unknown service: %s") % service_name + "\"")
/usr/lib/linuxmint/mintUpload/file-uploader.py:214: os.system("mintupload \"" + self.service['name'] + "\" " + " ".join(filenames) + " &")
/usr/lib/linuxmint/mintSystem/mint-adjust.py:51: os.system(full_path)
/usr/lib/linuxmint/mintSystem/mint-adjust.py:96: os.system("cp " + source + " " + matching_destination)
/usr/lib/linuxmint/mintSystem/mint-adjust.py:169: os.system("cat \"%s\" >> \"%s\"" % (names_file, desktop_file))
/usr/lib/linuxmint/mintSources/mintSources.py:67: os.system("apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys %s" % short_key)
/usr/lib/linuxmint/mintSources/mintSources.py:877: os.system("apt-key add %s" % dialog.get_filename())
/usr/lib/linuxmint/mintSources/mintSources.py:887: res = os.system("apt-key adv --keyserver keyserver.ubuntu.com --recv-keys %s" % line)
/usr/lib/linuxmint/mintSources/mintSources.py:1009: os.system("/usr/lib/linuxmint/mintSources/ppa_browser.py %s %s %s" % (ppa_owner, ppa_name, self._main_window.window.xid))
/usr/lib/linuxmint/mintInstall/remove.py:40: os.system(command)
/usr/lib/linuxmint/mintInstall/remove.py:72: os.system("cp " + self.mintFile + " " + directory + "/file.mint")
/usr/lib/linuxmint/mintInstall/frontend.py:231: os.system(command)
/usr/lib/linuxmint/mintInstall/frontend.py:306: os.system("cp " + model.selected_application.mint_file + " " + directory + "/file.mint")
/usr/lib/linuxmint/mintInstall/frontend.py:424: os.system("sudo -u " + username + " /usr/lib/linuxmint/common/launch_browser_as.py \"" + model.selected_application.website + "\"")
/usr/lib/linuxmint/mintInstall/frontend.py:990: os.system("wget -nc -O" + category.key + " " + category.logo)
/usr/lib/linuxmint/mintInstall/frontend.py:1040: os.system("wget -nc -O" + screen_item + " -T10 \"" + screen_img + "\"")
2) depreached command module calls which may allow shell command injections :
/usr/lib/linuxmint/mintSources/ppa_browser.py:69: packages = commands.getoutput("grep 'Package:' %s | sort | awk {'print $2;'}" % ppa_file).split("\n")
/usr/lib/linuxmint/mintUpdate/mintUpdate.py:322: warnings = commands.getoutput("/usr/lib/linuxmint/mintUpdate/checkWarnings.py %s" % pkgs)
/usr/lib/linuxmint/common/mint-remove-application.py:54: (status, output) = commands.getstatusoutput("dpkg -S " + self.desktopFile)
/usr/lib/linuxmint/common/mint-remove-application.py:78: dependenciesString = commands.getoutput("apt-get -s -q remove " + package + " | grep Remv")
/usr/lib/linuxmint/mintBackup/mintBackup.py:1450: filename = "software_selection_%s@%s" % (commands.getoutput("hostname"), filetime)
/usr/lib/linuxmint/mintWifi/mintWifi.py:28: pci_id_line = commands.getoutput("lspci -n | grep " + deviceArray[0])
/usr/lib/linuxmint/mintSystem/mint-adjust.py:91: matching_destinations = commands.getoutput("find " + destination)
/usr/lib/linuxmint/mintSources/foreign_packages.py:97: if commands.getoutput("dpkg --compare-versions %s gt %s && echo 'OK'" % (version.version, best_version.version)) == "OK":
/usr/lib/linuxmint/mintInstall/mintinstall.py:116: numlines = int(commands.getoutput("cat " + reviews_path + " | wc -l"))
/usr/lib/linuxmint/mintInstall/remove.py:74: appName = commands.getoutput("cat " + directory + "/name")
/usr/lib/linuxmint/mintInstall/remove.py:120: dependenciesString = commands.getoutput("apt-get -s -q remove " + package + " | grep Remv")
/usr/lib/linuxmint/mintInstall/frontend.py:308: steps = int(commands.getoutput("ls -l " + directory + "/steps/ | wc -l"))
/usr/lib/linuxmint/mintInstall/frontend.py:965: numItems = commands.getoutput("grep -c \"<item\" " + fileName)
3) subprocess.Popen calls which may allow shell code injections (shell should be = false)
/usr/lib/linuxmint/mintUpdate/rel_upgrade_root.py:43:comnd = Popen(' '.join(cmd), shell=True)
/usr/lib/linuxmint/mintUpdate/rel_upgrade_root.py:85:comnd = Popen(' '.join(cmd), shell=True)
/usr/lib/linuxmint/mintUpdate/checkAPT.py:44: comnd = Popen(' '.join(cmd), shell=True)
/usr/lib/linuxmint/mintUpdate/mintUpdate.py:272: comnd = Popen(' '.join(cmd), stdout=log, stderr=log, shell=True)
/usr/lib/linuxmint/mintUpdate/mintUpdate.py:436: comnd = Popen(' '.join(cmd), stdout=log, stderr=log, shell=True)
/usr/lib/linuxmint/mintUpdate/rel_upgrade.py:184: comnd = Popen(' '.join(cmd), shell=True)
/usr/lib/linuxmint/mintUpdate/rel_upgrade.py:240: comnd = Popen(' '.join(cmd), shell=True)
/usr/lib/linuxmint/common/mint-remove-application.py:45: comnd = Popen(' '.join(cmd), shell=True)
/usr/lib/linuxmint/mintBackup/mintBackup.py:1371: p = subprocess.Popen("aptitude search ~M", shell=True, stdout=subprocess.PIPE)
/usr/lib/linuxmint/mintBackup/mintBackup.py:1601: comnd = subprocess.Popen(' '.join(cmd), shell=True)
/usr/lib/linuxmint/mintSources/ppa_browser.py:129: comnd = Popen(' '.join(cmd), stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True)
/usr/lib/linuxmint/mintSources/mintSources.py:1247: comnd = Popen(' '.join(cmd), shell=True)
/usr/lib/linuxmint/mintInstall/mintInstall.py:101: comnd = Popen(' '.join(cmd), shell=True)
/usr/lib/linuxmint/mintInstall/remove.py:57: comnd = Popen(' '.join(cmd), shell=True)
/usr/lib/linuxmint/mintInstall/frontend.py:513: comnd = Popen(' '.join(cmd), shell=True)
4) Please also check for os.popen() ; os.popen2() ; os.popen3() calls which allow shell injections.
Thank you.
Here are some LinuxMint Code injection examples.
I have allready reported themand some of them have been fixed.
#1460835 MintNanny Executes Code in Domain Name Strings settings- users.py
#1462313 MintBackup executes Code when package_dest Path contains Shell commands
#1502424 Cinnamon : Command Injection with a wallpaper picture
#1502420 Shell Command Injection when changing emblem with nemo
#1477344 mintlocale allows Shell Command Injection
#1499056 Code injection in cinnamon-
#1502498 mintdrivers : Shell Command Injection (fake Live Media)
#1504270 mintSources : Shell Injection when import a key file
#1460775 Shell Command Injection in mintstick Volume Label
#1458189 mintInstall possible code execution when Website contains Shell Commands
But as i said before, i can not make a bug report and demo for each script.
So this is a "global warnig" issue because Linux excessive use insecure api calls by default.