Variety

Shell injection in trash deletion via specially crafted filenames

Bug #1716269 reported by James Lu on 2017-09-10

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Variety	Fix Released	High	James Lu	Variety 0.6.6

Bug Description

Steps to reproduce:

1) Rename any image to the format 'test";"<command name>";".png' (e.g. test";"galculator";".png) and set it as wallpaper.
2) Attempt to delete the wallpaper via "Delete to Trash" in the Variety indicator menu.
3) The code nested in the command name will trigger 3 times as each trash command fails, as it is passed an incomplete filename.

Fortunately, the security impact of this bug is low because it requires user intervention and a weird filename in the first place. This is fixed in commit https://bazaar.launchpad.net/~variety/variety/trunk/revision/614 and will be present in the next release.

Tags:

James Lu (jlu5) on 2017-09-19

tags:	removed: shell-injection
Changed in variety:
milestone:	none → 0.6.6

James Lu (jlu5) on 2017-09-19

Changed in variety:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.