Pluma Plugin "Snippets" Manager - Shell Command Injection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu MATE |
Fix Released
|
High
|
Unassigned | ||
gedit |
New
|
Undecided
|
Unassigned | ||
pluma (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The Plugin "Snippets" in Pluma 1.8.1 is vulnerabe to Shell Commands.
If you activate the "snippet" Plugin , you can use "tools -> manage snippets" from the main menu of pluma.
Example :
========
If you import a snippet with the manager wich has a filename like this :
";xterm;"#Snippets Archive.tar.gz
the Shell command ";xterm;"# will be injected and will execute the program xterm as a exploid demo.
reason is a bug in the Importer.py Python script :
/usr/lib/
https:/
def import_
The os.system command puts the filename in "%s" to a shell and executes it.
=======
The "dirname" should be checked, too.
So, please do not use os.system in the Importer an Exporter Scripts,
use Subprocess.Popen() with Shell=False
or use quote() to workaround this Bug.
Thanks :-)
---
Remark :
Because of there seems to be an other Bug (1357735) in pluma,
i could not enable the python snippets in Kubuntu 15.04 or Ubuntu-Mate 15.04.
So i attached a screenshot where i reproduced it in an other OS called "HardenedBSD" with Mate Desktop.
----
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: pluma 1.8.1+dfsg1-2
ProcVersionSign
Uname: Linux 3.19.0-21-generic x86_64
NonfreeKernelMo
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: amd64
CurrentDesktop: KDE
Date: Thu Jun 18 21:24:29 2015
InstallationDate: Installed on 2015-05-15 (33 days ago)
InstallationMedia: Kubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
SourcePackage: pluma
UpgradeStatus: No upgrade log present (probably fresh install)
information type: | Public → Public Security |
Changed in pluma (Ubuntu): | |
status: | Incomplete → Fix Committed |
Changed in ubuntu-mate: | |
status: | New → In Progress |
Changed in ubuntu-mate: | |
importance: | Undecided → High |
Changed in ubuntu-mate: | |
status: | In Progress → Fix Committed |
Changed in ubuntu-mate: | |
status: | Fix Committed → Fix Released |
Same problem with gedit 2.30.4 in Linux Mint 17.1 Rebecca
Watch my (german) Shell Command Injection Demo Video at Timecode 10:00min
https:/ /www.youtube. com/watch? v=abP76r- 2js0