Ubuntu
python2.7 package

distutils : file "bdist_rpm.py" allows Shell injection in "name"

Bug #1514183 reported by Bernd Dietzel on 2015-11-08

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Python	Invalid	Unknown	python-roundup #25627
	python2.7 (Ubuntu)	Incomplete	Undecided	Unassigned

Bug Description

File :
/usr/lib/python2.7/distutils/command/bdist_rpm.py

Line 358 :
This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() :

out = os.popen(q_cmd)

Exploit demo :
============
1) Download the setup.py script wich i attached
2) Create a test folder an put the setup.py script in this folder
3) cd to the test folder
4) python setup.py bdist_rpm
5) A xmessage window pops up as a proof of concept

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: libpython2.7-stdlib 2.7.10-4ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3
Uname: Linux 4.2.0-17-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.19.1-0ubuntu4
Architecture: amd64
CurrentDesktop: Unity
Date: Sun Nov 8 13:47:34 2015
InstallationDate: Installed on 2015-10-22 (16 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
SourcePackage: python2.7
UpgradeStatus: No upgrade log present (probably fresh install)

See original description

Tags:

Revision history for this message

Bernd Dietzel (l-ubuntuone1104) wrote on 2015-11-08:

Exploit demo setup.py script with a Shell command in "name" Edit (537 bytes, text/x-python)
Dependencies.txt Edit (1.1 KiB, text/plain; charset="utf-8")
JournalErrors.txt Edit (21.1 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (112 bytes, text/plain; charset="utf-8")

summary:	- distutils : filebdist_rpm.py allows Shell injection in "name" + distutils : file "bdist_rpm.py" allows Shell injection in "name"
information type:	Public → Public Security
description:	updated

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2015-11-12:

Hi Bernd - Thanks for the bug report! While I think that this is something that should be fixed upstream, I don't feel like it is a security issue.

By running `python setup.py ...`, you're already trusting that setup.py is not malicious. It could execute xmessage directly.

Do you know if there are any other ways to trigger the problematic popen() call that doesn't require executing the Python script that has the malicious program name?

Have you reported this issue to upstream Python?

Changed in python2.7 (Ubuntu):
status:	New → Incomplete

Revision history for this message

Bernd Dietzel (l-ubuntuone1104) wrote on 2015-11-12:

Hello Tyler,
i only used the setup script because the distutils.core.setup() function takes such a large number of arguments, so its more easy to read than in one single line of code.

No, i haven't reported this issue to upstream.

Revision history for this message

Bernd Dietzel (l-ubuntuone1104) wrote on 2015-11-14:

Reported to Upstream :
http://bugs.python.org/issue25627

Bug Watch Updater (bug-watch-updater) on 2016-04-01

Changed in python:
status:	Unknown → New

Bug Watch Updater (bug-watch-updater) on 2021-02-03

Changed in python:
status:	New → Invalid

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

python-roundup #25627
[2:6] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntupython2.7 package

distutils : file "bdist_rpm.py" allows Shell injection in "name"

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
python2.7 package