Shell injection with a GTK-Bookmark
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| One Hundred Papercuts |
Fix Released
|
High
|
Unassigned | ||
| mate-menu (Ubuntu) |
Fix Released
|
High
|
Martin Wimpress | ||
Bug Description
Shell Commands can be injected
when the file ~/.gtk-bookmarks contains for example a path like this :
/temp/$
In the settings of the mate-menu the option to show the gtk-bookmarks in the places must be checked to make it work.
See attached screenshot.
Reason is this os.system call ...
File : /usr/share/
os.system("caja \"%s\" &" % path)
... which should be better replaced with subprocess.
Thank you :-)
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: mate-menu 5.7.1-1
ProcVersionSign
Uname: Linux 4.4.0-22-generic i686
ApportVersion: 2.20.1-0ubuntu2
Architecture: i386
CurrentDesktop: MATE
Date: Fri May 27 12:30:35 2016
InstallationDate: Installed on 2016-01-10 (137 days ago)
InstallationMedia: Linux 15.10 - Release i386
PackageArchitec
SourcePackage: mate-menu
UpgradeStatus: Upgraded to xenial on 2016-05-07 (20 days ago)
| Bernd Dietzel (l-ubuntuone1104) wrote | #1 |
| Bernd Dietzel (l-ubuntuone1104) wrote | #2 |
| Bernd Dietzel (l-ubuntuone1104) wrote | #3 |
| Changed in mate-menu (Ubuntu): | |
| status: | New → Confirmed |
| Changed in mate-menu (Ubuntu): | |
| importance: | Undecided → High |
| Changed in hundredpapercuts: | |
| status: | New → Confirmed |
| importance: | Undecided → High |
| Changed in mate-menu (Ubuntu): | |
| status: | Confirmed → In Progress |
| assignee: | nobody → Martin Wimpress (flexiondotorg) |
| status: | In Progress → Fix Committed |
| Launchpad Janitor (janitor) wrote | #4 |
| Changed in mate-menu (Ubuntu): | |
| status: | Fix Committed → Fix Released |
| Changed in hundredpapercuts: | |
| status: | Confirmed → Fix Released |
...and Remove this os.system calls, too please :-)
/usr/share/
x = os.system(
/usr/share/
os.system("rm \"%s\" &" % desktopEntry.
/usr/share/