Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 13 Sep 2015 16:47:39 +0000
From: Luke Faraone <>
Subject: CVE-2015-0853: insecure use of os.system() in svn-workbench


I discovered that, in the SVN GUI application "svn-workbench", if a user
was tricked into using the "Command Shell" menu item while in a
directory with a specially-crafted name, svn-workbench would execute
arbitrary commands with the permissions of the user.

     1. Add "" as a
        project in svn-workbench
     2. Checkout the project
     3. Navigate to "trunk/$(xeyes)"
     4. Click "Actions", then "Command Shell"

The `xeyes` program (if installed on your system) should start.

Source/ starting at line 53:
        def ShellOpen( app, project_info, filename ):
   T_('Open %s') % filename )
            cur_dir = os.getcwd()

        wb_platform_specific.uChdir( project_info.getWorkingDir() )
                os.system( "xdg-open '%s'" % filename )
                wb_platform_specific.uChdir( cur_dir )

The code should instead start a subprocess in a secure way, such as

CVE-2015-0853 has been assigned for this issue. 

This issue affects at least version 1.6.2 (older versions may be
affected) through the current latest version of svn-workbench at time of

Upstream bug:
Debian bug:
Ubuntu bug:

Luke Faraone

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.