Ubuntu MATE

Shell Command Injection in places.py plugin of mate-menu package

Bug #1422402 reported by Bernd Dietzel on 2015-02-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu MATE	Fix Released	High	Unassigned

Bug Description

Shell Comands can be executed because places.py of the Advanced Mate Menu uses the old commands.getoutput funktion.

/usr/lib/ubuntu-mate/mate-menu/plugins/places.py

###Line 182 :###
config = ConfigObj(home + "/.config/user-dirs.dirs")
tmpdesktopDir = config['XDG_DESKTOP_DIR']
tmpdesktopDir = commands.getoutput("echo " + tmpdesktopDir)
############

if ~/.config/user-dirs.dirs contains something like this :

XDG_DESKTOP_DIR="$HOME/Schreibtisch;xterm"

xterm will be executed on next start.

--> Please use subprocess.Popen() , not commands.getoutput()

Related branches

lp:ubuntu/vivid-proposed/mate-menu

Revision history for this message

Bernd Dietzel (l-ubuntuone1104) wrote on 2015-02-16:

The same possible shell injection in the plugin "appliations.py" in the function "add_to_desktop" :

Line 1128:
tmpdesktopDir = commands.getoutput("echo " + tmpdesktopDir)

Line 1132 :
os.system("cp \"%s\" \"%s/\"" % (desktopEntry.desktopFile, desktopDir))

Revision history for this message

Bernd Dietzel (l-ubuntuone1104) wrote on 2015-02-16:

Exploid demo Video

https://www.youtube.com/watch?v=mLqQcCSyvEQ

Martin Wimpress  (flexiondotorg) on 2015-02-19

Changed in ubuntu-mate:
status:	New → Triaged
importance:	Undecided → High

Martin Wimpress  (flexiondotorg) on 2015-02-25

Changed in ubuntu-mate:
status:	Triaged → Fix Committed

Martin Wimpress  (flexiondotorg) on 2015-03-09

Changed in ubuntu-mate:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.