Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 13 Sep 2015 16:47:39 +0000
From: Luke Faraone <lfaraone@...ian.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2015-0853: insecure use of os.system() in svn-workbench

Hello,

I discovered that, in the SVN GUI application "svn-workbench", if a user
was tricked into using the "Command Shell" menu item while in a
directory with a specially-crafted name, svn-workbench would execute
arbitrary commands with the permissions of the user.

STEPS TO REPRODUCE:
     1. Add "https://github.com/lfaraone/turbulent-octo-garbanzo" as a
        project in svn-workbench
     2. Checkout the project
     3. Navigate to "trunk/$(xeyes)"
     4. Click "Actions", then "Command Shell"

The `xeyes` program (if installed on your system) should start.

Source/wb_shell_unix_commands.py starting at line 53:
        def ShellOpen( app, project_info, filename ):
            app.log.info( T_('Open %s') % filename )
            cur_dir = os.getcwd()
            try:

        wb_platform_specific.uChdir( project_info.getWorkingDir() )
                os.system( "xdg-open '%s'" % filename )
            finally:
                wb_platform_specific.uChdir( cur_dir )

The code should instead start a subprocess in a secure way, such as
using subprocess.call().

CVE-2015-0853 has been assigned for this issue. 

This issue affects at least version 1.6.2 (older versions may be
affected) through the current latest version of svn-workbench at time of
writing.

Upstream bug: http://pysvn.tigris.org/issues/show_bug.cgi?id=202
Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798863
Ubuntu bug: https://launchpad.net/bugs/1495268

Regards,
Luke Faraone

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ