Ubuntu
dialog package

dialog.pl allows to inject shell code

Bug #1598438 reported by Bernd Dietzel on 2016-07-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	dialog (Ubuntu)	New	Undecided	Unassigned

Bug Description

File : /usr/share/perl5/dialog.pl

Line 25, 42, 62, 77 :
system("dialog --title \"$title\" --textbox $file $height $width");

The perl script "dialog.pl" uses the system() command.
So shell code in a path and/or file name could be executed.

For Example like in this perl demo script:

require "dialog.pl";
rhs_textbox("Demo",";xeyes;#.txt","100","100");

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: dialog 1.2-20130928-1
ProcVersionSignature: Ubuntu 3.19.0-32.37~14.04.1-generic 3.19.8-ckt7
Uname: Linux 3.19.0-32-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.14.1-0ubuntu3.21
Architecture: amd64
CurrentDesktop: X-Cinnamon
Date: Sat Jul 2 15:44:59 2016
InstallationDate: Installed on 2016-06-18 (14 days ago)
InstallationMedia: Linux Mint 17.3 "Rosa" - Release amd64 20151128
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=de_DE.UTF-8
SHELL=/bin/bash
SourcePackage: dialog
UpgradeStatus: No upgrade log present (probably fresh install)

Tags:

Revision history for this message

Bernd Dietzel (l-ubuntuone1104) wrote on 2016-07-02:

Dependencies.txt Edit (231 bytes, text/plain; charset="utf-8")

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Dependencies.txt Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntudialog package