Date: Sun, 13 Sep 2015 16:47:39 +0000 From: Luke Faraone <lfaraone@...ian.org> To: oss-security@...ts.openwall.com Subject: CVE-2015-0853: insecure use of os.system() in svn-workbench Hello, I discovered that, in the SVN GUI application "svn-workbench", if a user was tricked into using the "Command Shell" menu item while in a directory with a specially-crafted name, svn-workbench would execute arbitrary commands with the permissions of the user. STEPS TO REPRODUCE: 1. Add "https://github.com/lfaraone/turbulent-octo-garbanzo" as a project in svn-workbench 2. Checkout the project 3. Navigate to "trunk/$(xeyes)" 4. Click "Actions", then "Command Shell" The `xeyes` program (if installed on your system) should start. Source/wb_shell_unix_commands.py starting at line 53: def ShellOpen( app, project_info, filename ): app.log.info( T_('Open %s') % filename ) cur_dir = os.getcwd() try: wb_platform_specific.uChdir( project_info.getWorkingDir() ) os.system( "xdg-open '%s'" % filename ) finally: wb_platform_specific.uChdir( cur_dir ) The code should instead start a subprocess in a secure way, such as using subprocess.call(). CVE-2015-0853 has been assigned for this issue. This issue affects at least version 1.6.2 (older versions may be affected) through the current latest version of svn-workbench at time of writing. Upstream bug: http://pysvn.tigris.org/issues/show_bug.cgi?id=202 Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798863 Ubuntu bug: https://launchpad.net/bugs/1495268 Regards, Luke Faraone [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ