Shell Injection / filename
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mate-dock-applet (Ubuntu) |
Opinion
|
Low
|
Unassigned |
Bug Description
function im_get_comp_color uses shell=True,
so a shell command in the text of the filename or path could get executed.
This is the function source code :
def im_get_
"""Find the complimentary colour of the average colour of an image.
Uses ImageMagick to read and process the image
Args:
filename : the filename of the image
Returns:
a tuple of r,g,b values (0-255)
"""
cmdstr = "convert "+filename +" -colors 16 -depth 8 -format ""%c"" " + \
cmd = subprocess.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: mate-dock-applet 0.70-1build1
ProcVersionSign
Uname: Linux 4.4.0-22-generic i686
ApportVersion: 2.20.1-0ubuntu2
Architecture: i386
CurrentDesktop: MATE
Date: Fri May 27 21:11:15 2016
InstallationDate: Installed on 2016-01-10 (138 days ago)
InstallationMedia: Linux 15.10 - Release i386
SourcePackage: mate-dock-applet
UpgradeStatus: Upgraded to xenial on 2016-05-07 (20 days ago)
information type: | Private Security → Public Security |
Changed in mate-dock-applet (Ubuntu): | |
importance: | Undecided → High |
Changed in mate-dock-applet (Ubuntu): | |
status: | Confirmed → Opinion |
Hi Bernd, thanks for reporting this issue; have you reported this issue to the upstream developers yet? Once a fix is available we would be happy to sponsor an update for this package.
Because this isn't obviously a security issue (the developers may consider all input to their tool to be completely trusted) I think we should defer getting a CVE until they've had a chance to respond.
Thanks