Variety

Shell injection in Imagemagick filter code via specially crafted filenames

Bug #1716268 reported by James Lu on 2017-09-10

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Variety	Fix Released	High	Unassigned	Variety 0.6.6

Bug Description

Steps to reproduce:

1) Rename any image to the format 'test";"<command name>";".png' (e.g. test";"galculator";".png) and set it as wallpaper.
2) Apply a filter or enable the clock in Variety settings
3) Poof! The code hidden in the filename runs.

Migrating from os.system (which is dangerous and calls a shell) to subprocess.call is the long-term preferred solution. However, the default clock filter actually depends on nesting a shell command to do its work, so changing this code without config migration will break the current setup. What might be the best way to go from here?

This bug affects Variety 0.6.5 along with the latest trunk.

Tags:

Revision history for this message

James Lu (jlu5) wrote on 2017-09-19:

Fixed in http://bazaar.launchpad.net/~variety/variety/trunk/revision/615. I will make a new release shortly

Changed in variety:
status:	Triaged → Fix Committed
information type:	Private Security → Public Security

James Lu (jlu5) on 2017-09-19

tags:	removed: shell-injection
Changed in variety:
milestone:	none → 0.6.6

James Lu (jlu5) on 2017-09-19

Changed in variety:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.