Shell Command Injection in logcapture.py
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
hplip (Ubuntu) |
Confirmed
|
Low
|
Unassigned |
Bug Description
File :
/usr/share/
is vulnerabe for Shell command injection attacks
for example :
sudo python logcapture.py --user=";xmessage hello #"
This will run the program "xmessage" as root after you have answered the few questions wich the python script asks.
Reason ist that the whole hplip-data package is full of old "os.system" calls and some similar shell calls like this here :
for u in USERS:
sts = os.system('cp -f %s/*.log %s/%s 2>/devnull '%(USERS[
... and some like this ...
utils.run()
.... and some like that ...
os_utils.execute()
... wich calls os.system, too.
Please check the whole python scripts in the hplip-data package for this sort of calls : os.system , utils.run() , execute()
Replace them with subprocess.Popen() calls.
Thank you :-)
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: hplip-data 3.15.2-0ubuntu4.1
ProcVersionSign
Uname: Linux 3.19.0-18-generic x86_64
NonfreeKernelMo
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: amd64
CupsErrorLog:
CurrentDesktop: KDE
Date: Sun May 31 13:36:45 2015
InstallationDate: Installed on 2015-05-15 (15 days ago)
InstallationMedia: Kubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
Lpstat: device for HP_Deskjet_
PackageArchitec
Papersize: a4
PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/
ProcKernelCmdLine: BOOT_IMAGE=
SourcePackage: hplip
UdevLog: Error: [Errno 2] Datei oder Verzeichnis nicht gefunden: '/var/log/udev'
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 11/05/2009
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 080015
dmi.board.name: GeForce 8000 series
dmi.board.version: 1.0
dmi.chassis.type: 3
dmi.modalias: dmi:bvnAmerican
dmi.product.name: GeForce 8000 series
dmi.product.
Changed in hplip (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Low |
information type: | Private Security → Public Security |