I also went looking for instances of attach_file() which may be vulnerable to this type of attack (ie using a computed filename that may be able to be influenced by untrusted content from the report) by searching for calls to this across the entire debian archive which use a variable name for the file-name argument:
I also went looking for instances of attach_file() which may be vulnerable to this type of attack (ie using a computed filename that may be able to be influenced by untrusted content from the report) by searching for calls to this across the entire debian archive which use a variable name for the file-name argument:
$ codesearch-cli "attach_ file(_if_ exists) ?\(report( $|,$|, [a-z])" 04-19/debian/ apport/ source_ grub2.py
and not check_shell_ syntax( fullpath) :
invalid_ grub_script. append( fullpath) 3.38.4- 1/debian/ source_ gnome-shell. py
monitors = os.path. expanduser( '~/.config/ monitors. xml') file_if_ exists( report, monitors, 'monitors.xml') 8.4-4/dkms_ apport. py
report[ 'PackageVersion '] = version
report[ 'Title' ] = "%s %s: %s kernel module failed to build" % (package, version, options.module) file_if_ exists( report, make_log, 'DKMSBuildLog') 8.4-4/dkms_ apport. py 'SourcePackage' ] == 'fglrx-installer':
fglrx_ make_log = os.path. join('/ var','lib' ,'dkms' ,options. module, options. version, 'build' ,'make. sh.log' ) file_if_ exists( report, fglrx_make_log, 'FglrxBuildLog') 1.37/debian/ source_ shim-signed. py
attach_ file(report, '/proc/ sys/kernel/ moksbstate_ disabled' )
attach_ file(report, sb_var) 1.37/debian/ source_ shim-signed. py
attach_ file(report, '/proc/ sys/kernel/ moksbstate_ disabled' ) 11.89-3/ data/apport/ source_ plank.py file_if_ exists( report, path.expanduser ('~/.config/ plank/dock1/ settings' ), 'DockSettings') xrdesktop_ 3.36.1- 2/debian/ source_ gnome-shell. py
monitors = os.path. expanduser( '~/.config/ monitors. xml') file_if_ exists( report, monitors, 'monitors.xml') 11.6-2/ debian/ conky.py
conkyrc_ path = path.expanduser ('~/.conkyrc' ) conkyrc_ path): 11.6-2/ debian/ conky.py
open(conkyrc_ path).read( ),
re.MULTILINE) : file_if_ exists( report, file) 3.0.3-13/ debian/ vsftpd. apport
attach_ conffiles( report, 'vsftpd' ) file_if_ exists( report, os.path. expanduser( '/var/log/ vsftpd. log'), 'vsftpd.log') 2.21+ds- 1/debian/ source_ rednotebook. py rednotebook_ dir, name) file_if_ exists( report, log, key) 0.30.11- 1/apport/ shotwell. py
log_ file = os.path. expanduser( '~/.cache/ shotwell/ shotwell. log') hookutils. attach_ file_if_ exists( report, log_file, 'shotwell.log')
path: grub2_2.
91 attach_file(report, fullpath)
path: gnome-shell_
28 attach_
path: dkms_2.
84 attach_
path: dkms_2.
if report[
80 attach_
path: shim-signed_
55 attach_file(report, mok_var)
path: shim-signed_
54 attach_file(report, sb_var)
path: plank_0.
def add_info(report, ui=None):
27 attach_
path: gnome-shell-
28 attach_
path: conky_1.
if path.exists(
17 attach_file(report, conkyrc_path)
path: conky_1.
21 attach_
path: vsftpd_
30 attach_
path: rednotebook_
for (key, name) in LOGS:
log = path.join(
22 attach_
path: shotwell_
def add_info(report):
6 apport.
Of these, the conky script also appears to allow untrusted files to be attached: https:/ /sources. debian. org/src/ conky/1. 11.6-2/ debian/ conky.py/ #L21 but this is a separate issue so I will file a new bug report for that.