➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2015-11-27 20:19 by TheRegRunner, last changed 2022-04-11 14:58 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| workaround.diff | TheRegRunner, 2015-11-27 20:19 | patch | ||
| Messages (6) | |||
|---|---|---|---|
| msg255482 - (view) | Author: Bernd Dietzel (TheRegRunner) | Date: 2015-11-27 20:19 | |
The find_library() function can execute code when special chars like ;|`<>$ are in the name.
The "os.popen()" calls in the util.py script should be replaced with "subprocess.Popen()".
Demo Exploits for Linux :
====================
>>> from ctypes.util import find_library
>>> find_library(";xeyes") # runs xeyes
>>> find_library("|xterm") # runs terminal
>>> find_library("&gimp") # runs gimp
>>> find_library("$(nautilus)") # runs filemanager
>>> find_library(">test") # creates, and if exists, erases a file "test"
==== Traceback ====
>>> find_library("`xmessage hello`") # shows a message, press ctrl+c for Traceback
^CTraceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library
return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc
trace = f.read()
KeyboardInterrupt
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068
|
|||
| msg255523 - (view) | Author: Martin Panter (martin.panter) *  |
Date: 2015-11-28 03:29 | |
There is a patch at Issue 22636 which looks like it replaces all five os.popen() calls. |
|||
| msg255524 - (view) | Author: Martin Panter (martin.panter) * |
Date: 2015-11-28 03:31 | |
Your Ubuntu link seems broken, or is that a private report? |
|||
| msg255539 - (view) | Author: Bernd Dietzel (TheRegRunner) | Date: 2015-11-28 12:30 | |
i made the ubuntu link readable for everyone. |
|||
| msg255633 - (view) | Author: Dimitri John Ledkov (xnox) * | Date: 2015-12-01 01:10 | |
Whilst fixed in 3.5, it is not fixed in 2.7. And the reporter believes this is a security vulnerability. Can this be cherry-picked into the 2.7 branch? |
|||
| msg255634 - (view) | Author: Martin Panter (martin.panter) * |
Date: 2015-12-01 01:54 | |
I do not believe 3.5 is fixed either:
$ python3.5
Python 3.5.0 (default, Sep 20 2015, 11:28:25)
[GCC 5.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ctypes.util
>>> ctypes.util.find_library("; echo Hello shell >&2")
Hello shell
>>>
Issue 22636 has a patch with some review comments, but is is still open. I think it needs someone to take another look, perhaps update the patch, and get it committed.
I will mark the other issue as a bug fix for 2.7 and 3.4+.
|
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:24 | admin | set | github: 69937 |
| 2015-12-01 01:54:54 | martin.panter | set | messages: + msg255634 |
| 2015-12-01 01:10:00 | xnox | set | nosy:
+ xnox messages: + msg255633 |
| 2015-11-28 12:30:40 | TheRegRunner | set | messages: + msg255539 |
| 2015-11-28 03:31:02 | martin.panter | set | messages: + msg255524 |
| 2015-11-28 03:29:09 | martin.panter | set | status: open -> closed nosy: + martin.panter messages: + msg255523 superseder: avoid using a shell in ctypes.util: replace os.popen with subprocess resolution: duplicate |
| 2015-11-27 20:19:20 | TheRegRunner | create | |