Bazaar

externalcommand.py : Shell injection with a Path name

Bug #1694007 reported by Bernd Dietzel
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bazaar
Expired
Undecided
Unassigned
bzr (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

If inside the path is a shell command, it will be executed.
In this demo the program xeyes will start but should not :

~ $ python
Python 2.7.12 (default, Nov 19 2016, 06:48:10)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import bzrlib.externalcommand as E
>>> x=E.ExternalCommand('/tmp/$(xeyes)/test/abc')
>>> y=x.help()
sh: 1: /tmp//test/abc: not found
>>> # xeyes does run now #

Package:
python-bzrlib

File:
/usr/lib/python2.7/dist-packages/bzrlib/externalcommand.py

Line 64:
pipe = os.popen('%s --help' % self.path)

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: python-bzrlib 2.7.0-2ubuntu3
ProcVersionSignature: Ubuntu 4.4.0-66.87-generic 4.4.44
Uname: Linux 4.4.0-66-generic x86_64
NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
ApportVersion: 2.20.1-0ubuntu2.6
Architecture: amd64
CurrentDesktop: X-Cinnamon
Date: Sat May 27 13:00:36 2017
InstallationDate: Installed on 2016-07-31 (300 days ago)
InstallationMedia: Linux Mint 18 "Sarah" - Release amd64 20160628
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: bzr
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

Screenshot

Revision history for this message
Hans Joachim Desserud (hjd) wrote :

Thanks for taking your time to report this isuse and help making Ubuntu better.

I was able to reproduce this with bzr 2.7.0+bzr6619-7 on Ubuntu 17.04, so it is still present in the latest packaged version.

Changed in bzr (Ubuntu):
status: New → Confirmed
tags: added: artful xenial yakkety zesty
Revision history for this message
Jelmer Vernooij (jelmer) wrote :

As far as I know, this is intentional. Where is this problematic? You should not use this for unvalidated externally provided commands.

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

As you can see above, help() does not show the help of program abc but runs a shell command in the middle of the path and the path gets broken.

Jelmer Vernooij (jelmer)
tags: added: check-for-breezy
Jelmer Vernooij (jelmer)
tags: removed: check-for-breezy
Revision history for this message
Jelmer Vernooij (jelmer) wrote :

I'm not sure I follow, that's how shell expansion works.

Changed in bzr:
status: New → Incomplete
Changed in bzr (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for bzr (Ubuntu) because there has been no activity for 60 days.]

Changed in bzr (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for Bazaar because there has been no activity for 60 days.]

Changed in bzr:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.