Date: Sun, 13 Sep 2015 16:47:39 +0000 From: Luke Faraone <lfaraone@...ian.org> To: oss-security@...ts.openwall.com Subject: CVE-2015-0853: insecure use of os.system() in svn-workbench Hello, I discovered that, in the SVN GUI application "svn-workbench", if a user was tricked into using the "Command Shell" menu item while in a directory with a specially-crafted name, svn-workbench would execute arbitrary commands with the permissions of the user. STEPS TO REPRODUCE: 1. Add "https://github.com/lfaraone/turbulent-octo-garbanzo" as a project in svn-workbench 2. Checkout the project 3. Navigate to "trunk/$(xeyes)" 4. Click "Actions", then "Command Shell" The `xeyes` program (if installed on your system) should start. Source/wb_shell_unix_commands.py starting at line 53: def ShellOpen( app, project_info, filename ): app.log.info( T_('Open %s') % filename ) cur_dir = os.getcwd() try: wb_platform_specific.uChdir( project_info.getWorkingDir() ) os.system( "xdg-open '%s'" % filename ) finally: wb_platform_specific.uChdir( cur_dir ) The code should instead start a subprocess in a secure way, such as using subprocess.call(). CVE-2015-0853 has been assigned for this issue. This issue affects at least version 1.6.2 (older versions may be affected) through the current latest version of svn-workbench at time of writing. Upstream bug: http://pysvn.tigris.org/issues/show_bug.cgi?id=202 Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798863 Ubuntu bug: https://launchpad.net/bugs/1495268 Regards, Luke Faraone Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.