dialog.pl allows to inject shell code
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dialog (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
File : /usr/share/
Line 25, 42, 62, 77 :
system("dialog --title \"$title\" --textbox $file $height $width");
The perl script "dialog.pl" uses the system() command.
So shell code in a path and/or file name could be executed.
For Example like in this perl demo script:
require "dialog.pl";
rhs_textbox(
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: dialog 1.2-20130928-1
ProcVersionSign
Uname: Linux 3.19.0-32-generic x86_64
NonfreeKernelMo
ApportVersion: 2.14.1-0ubuntu3.21
Architecture: amd64
CurrentDesktop: X-Cinnamon
Date: Sat Jul 2 15:44:59 2016
InstallationDate: Installed on 2016-06-18 (14 days ago)
InstallationMedia: Linux Mint 17.3 "Rosa" - Release amd64 20151128
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_
LANG=de_DE.UTF-8
SHELL=/bin/bash
SourcePackage: dialog
UpgradeStatus: No upgrade log present (probably fresh install)