Linux Mint

mintSources : Shell Injection when import a key file

Bug #1504270 reported by Bernd Dietzel
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Linux Mint
Fix Released
Undecided
Unassigned

Bug Description

Look at the attachment Screenshot.

It is possible to inject any shell command in LinuxMint with the help of a key file.
The only thing to do is to give the file a NAME wich has a shell command inside.

Demo Exploit :
--------------------
If you try to import a pgp file with this name :

' ' ; xmessage "I am $(whoami)"; # .pgp

the command will run with root permissions

The reason is this line 877 in mintSources.py :
--------------------------------------------------------------

os.system("apt-key add %s" % dialog.get_filename())

So, please do not use os.system. Use subprocess.
Thank you

The OS Version i used is this :
theregrunner@mint:~\€ lsb_release -a
No LSB modules are available.
Distributor ID: LinuxMint
Description: Linux Mint 17.2 Rafaela
Release: 17.2
Codename: rafaela

Bug reportet on github, too
https://github.com/linuxmint/mintsources/issues/62

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :
information type: Private Security → Public Security
Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

Patch attached.

Clement Lefebvre (clementlefebvre)
Changed in linuxmint:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Patches

Remote bug watches

Bug watches keep track of this bug in other bug trackers.