Ubuntu
mate-dock-applet package

Shell Injection / filename

Bug #1586514 reported by Bernd Dietzel
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mate-dock-applet (Ubuntu)
Opinion
Low
Unassigned

Bug Description

function im_get_comp_color uses shell=True,
so a shell command in the text of the filename or path could get executed.

This is the function source code :

def im_get_comp_color(filename):
    """Find the complimentary colour of the average colour of an image.

    Uses ImageMagick to read and process the image

    Args:
        filename : the filename of the image

    Returns:
        a tuple of r,g,b values (0-255)

    """

    cmdstr = "convert "+filename +" -colors 16 -depth 8 -format ""%c"" " + \
             "histogram:info:|sort -rn|head -n 1| grep -oe '#[^\s]*'"
    cmd = subprocess.Popen(cmdstr, shell=True, stdout=subprocess.PIPE)

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: mate-dock-applet 0.70-1build1
ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
Uname: Linux 4.4.0-22-generic i686
ApportVersion: 2.20.1-0ubuntu2
Architecture: i386
CurrentDesktop: MATE
Date: Fri May 27 21:11:15 2016
InstallationDate: Installed on 2016-01-10 (138 days ago)
InstallationMedia: Linux 15.10 - Release i386
SourcePackage: mate-dock-applet
UpgradeStatus: Upgraded to xenial on 2016-05-07 (20 days ago)

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hi Bernd, thanks for reporting this issue; have you reported this issue to the upstream developers yet? Once a fix is available we would be happy to sponsor an update for this package.

Because this isn't obviously a security issue (the developers may consider all input to their tool to be completely trusted) I think we should defer getting a CVE until they've had a chance to respond.

Thanks

Changed in mate-dock-applet (Ubuntu):
status: New → Confirmed
Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

Hello Seth,
no i have not reported this issue to the upstream developers.

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

Nothing happens a long time...

Bernd Dietzel (l-ubuntuone1104)
information type: Private Security → Public Security
Alberto Salvia Novella (es20490446e)
Changed in mate-dock-applet (Ubuntu):
importance: Undecided → High
Revision history for this message
Martin Wimpress  (flexiondotorg) wrote :

Nothing calls im_get_comp_color().

Changed in mate-dock-applet (Ubuntu):
importance: High → Low
Martin Wimpress  (flexiondotorg)
Changed in mate-dock-applet (Ubuntu):
status: Confirmed → Opinion
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.