[New-bugs-announce] [issue25627] distutils : file "bdist_rpm.py" allows Shell injection in "name

Bernd Dietzel report at bugs.python.org
Sat Nov 14 16:13:32 EST 2015

New submission from Bernd Dietzel:


File :

Line 358 :
This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() :

out = os.popen(q_cmd)

Exploit demo :
1) Download the setup.py script witch i attached
2) Create a test folder an put the setup.py script in this folder
3) cd to the test folder
4) python setup.py bdist_rpm
5) A xmessage window pops up as a proof of concept

components: Distutils
files: setup.py
messages: 254670
nosy: TheRegRunner, dstufft, eric.araujo
priority: normal
severity: normal
status: open
title: distutils : file "bdist_rpm.py" allows Shell injection in "name
type: security
versions: Python 2.7
Added file: http://bugs.python.org/file41043/setup.py

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list