[New-bugs-announce] [issue25627] distutils : file "bdist_rpm.py" allows Shell injection in "name
Bernd Dietzel
report at bugs.python.org
Sat Nov 14 16:13:32 EST 2015
New submission from Bernd Dietzel:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183
File :
/usr/lib/python2.7/distutils/command/bdist_rpm.py
Line 358 :
This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() :
out = os.popen(q_cmd)
Exploit demo :
============
1) Download the setup.py script witch i attached
2) Create a test folder an put the setup.py script in this folder
3) cd to the test folder
4) python setup.py bdist_rpm
5) A xmessage window pops up as a proof of concept
----------
components: Distutils
files: setup.py
messages: 254670
nosy: TheRegRunner, dstufft, eric.araujo
priority: normal
severity: normal
status: open
title: distutils : file "bdist_rpm.py" allows Shell injection in "name
type: security
versions: Python 2.7
Added file: http://bugs.python.org/file41043/setup.py
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue25627>
_______________________________________
More information about the New-bugs-announce
mailing list