externalcommand.py : Shell injection with a Path name
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bazaar |
Expired
|
Undecided
|
Unassigned | ||
bzr (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
If inside the path is a shell command, it will be executed.
In this demo the program xeyes will start but should not :
~ $ python
Python 2.7.12 (default, Nov 19 2016, 06:48:10)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import bzrlib.
>>> x=E.ExternalCom
>>> y=x.help()
sh: 1: /tmp//test/abc: not found
>>> # xeyes does run now #
Package:
python-bzrlib
File:
/usr/lib/
Line 64:
pipe = os.popen('%s --help' % self.path)
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: python-bzrlib 2.7.0-2ubuntu3
ProcVersionSign
Uname: Linux 4.4.0-66-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.1-0ubuntu2.6
Architecture: amd64
CurrentDesktop: X-Cinnamon
Date: Sat May 27 13:00:36 2017
InstallationDate: Installed on 2016-07-31 (300 days ago)
InstallationMedia: Linux Mint 18 "Sarah" - Release amd64 20160628
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=de_DE.UTF-8
SHELL=/bin/bash
SourcePackage: bzr
UpgradeStatus: No upgrade log present (probably fresh install)
Screenshot