Shell Command Injection in places.py plugin of mate-menu package
Bug #1422402 reported by
Bernd Dietzel
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu MATE |
Fix Released
|
High
|
Unassigned |
Bug Description
Shell Comands can be executed because places.py of the Advanced Mate Menu uses the old commands.getoutput funktion.
/usr/lib/
###Line 182 :###
config = ConfigObj(home + "/.config/
tmpdesktopDir = config[
tmpdesktopDir = commands.
############
if ~/.config/
XDG_DESKTOP_
xterm will be executed on next start.
--> Please use subprocess.Popen() , not commands.
Related branches
Changed in ubuntu-mate: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in ubuntu-mate: | |
status: | Triaged → Fix Committed |
Changed in ubuntu-mate: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
The same possible shell injection in the plugin "appliations.py" in the function "add_to_desktop" :
Line 1128: getoutput( "echo " + tmpdesktopDir)
tmpdesktopDir = commands.
Line 1132 : desktopFile, desktopDir))
os.system("cp \"%s\" \"%s/\"" % (desktopEntry.