ubuntu-mate

Shell Command Injection in places.py plugin of mate-menu package

Bug #1422402 reported by Bernd Dietzel on 2015-02-16
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-mate
Fix Released
High
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Shell Comands can be executed because places.py of the Advanced Mate Menu uses the old commands.getoutput funktion.

/usr/lib/ubuntu-mate/mate-menu/plugins/places.py

###Line 182 :###
 config = ConfigObj(home + "/.config/user-dirs.dirs")
 tmpdesktopDir = config['XDG_DESKTOP_DIR']
 tmpdesktopDir = commands.getoutput("echo " + tmpdesktopDir)
############

if ~/.config/user-dirs.dirs contains something like this :

XDG_DESKTOP_DIR="$HOME/Schreibtisch;xterm"

xterm will be executed on next start.

--> Please use subprocess.Popen() , not commands.getoutput()

Bernd Dietzel (l-ubuntuone1104) wrote :

The same possible shell injection in the plugin "appliations.py" in the function "add_to_desktop" :

Line 1128:
tmpdesktopDir = commands.getoutput("echo " + tmpdesktopDir)

Line 1132 :
os.system("cp \"%s\" \"%s/\"" % (desktopEntry.desktopFile, desktopDir))

Bernd Dietzel (l-ubuntuone1104) wrote :

Exploid demo Video

https://www.youtube.com/watch?v=mLqQcCSyvEQ

Martin Wimpress (flexiondotorg) on 2015-02-19
Changed in ubuntu-mate:
status: New → Triaged
importance: Undecided → High
Martin Wimpress (flexiondotorg) on 2015-02-25
Changed in ubuntu-mate:
status: Triaged → Fix Committed
Martin Wimpress (flexiondotorg) on 2015-03-09
Changed in ubuntu-mate:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers