Linux Mint

Remote command injection in the linux mint front end installer

Bug #896895 reported by David
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Linux Mint
New
Undecided
Unassigned

Bug Description

Remote command injection in the linux mint installer front end.

The code in mintinstall/usr/lib/linuxmint/mintInstall/frontend.py creates and runs a "RefreshThread". The RefreshThread downloads portal information from the internet using urllib[0] after which it downloads the images of categories provided in the xml file using wget(on line 989) like this:

                                        os.system("wget -nc -O" + category.key + " " + category.logo)

As the input data source cannot be trusted it is possible for an attacker to inject commands to be run in addition to wget.

How to fix: first make sure the category key has a 'safe' file-name, second perhaps consider using urllib to perform the download from python instead of calling wget.

[0] so if there was an assumption that because ssl is in use the software is _safe_, it wouldn't be safe ... unless linux mint has a patched version of urllib ...

Revision history for this message
David (d--) wrote :

There is similar also likely to be vulnerable code found on lines 1014(items) and 1040(screen-shots).

Revision history for this message
David (d--) wrote :

Does anyone even care about bugs in Linux Mint?

Revision history for this message
David (d--) wrote :

Apparently no one cares enough to even respond so I am opening this bug up so that others can see it ...

visibility: private → public
Revision history for this message
Gwendal LE BIHAN (gwendal-lebihan-dev) wrote :

I'll check why this code is still there, but if you look a little more precisely, you'll see that this code is actually never executed (the RefreshThread object is instanciated with the refresh param as False), so unless I missed something there isn't actually any command injection risk.

I'll still have a closer look at this and will come back to you as soon as I have more detailed/confirmed information.

Changed in linuxmint:
assignee: nobody → Gwendal LE BIHAN (gwendal-lebihan-dev)
Revision history for this message
David (d--) wrote :

Perhaps it is never executed. I do not have a linux mint machine or a vm available to test and find out.
Additionally, please note that there is a lot more code like this in the linux mint code-base. (This is not the only instance where bad things tm can happen if the code ever runs).

Revision history for this message
David (d--) wrote :

Right it doesn't look like it is executed ever in the code as I see it.
I guess I will need to find thing that is used then ;)

Revision history for this message
David (d--) wrote :

Although it does seem weird that software portal information is never updated? (surely it is somewhere else).

Gwendal LE BIHAN (gwendal-lebihan-dev)
Changed in linuxmint:
assignee: Gwendal LE BIHAN (gwendal-lebihan-dev) → nobody
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.