can you give me an example where one can use it to do something bad and doesn't have access to root already?
"exploit" demo is funny, though :) Here's another one: `su root -c 'echo foo'` ;) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1529857 Title: Possible Shell Code injection when cleaning packages Status in python2.7 package in Ubuntu: New Bug description: pyclean allows to inject shell code when the package filename contains commands. Exploit Demo which starts the program xeyes : $ pyclean -p ";xeyes;.deb" Reason : The python scripts in the debpython folder are calling subprocess with shell=True. Should be False. /usr/share/python/debpython/files.py Line 49: process = Popen("/usr/bin/dpkg -L %s" % package_name,\ shell=True, stdout=PIPE) /usr/share/python/debpython/pydist.py Line 157: process = Popen("/usr/bin/dpkg -S %s" % query, \ shell=True, stdout=PIPE, stderr=PIPE) /usr/share/python/debpython/tools.py Line 159: cmd = "readelf -Wd '%s'" % fpath process = Popen(cmd, stdout=PIPE, shell=True) /usr/share/python/debpython/namespace.py Line 108: process = Popen("/usr/bin/dpkg -S %s 2>/dev/null" % \ '.join(removal_candidates), shell=True, stdout=PIPE) ------ Attention : namespace.py may be called when using "apt-get -f remove". ------ This bug was not yet reported to upstream. Please do that for me. Thank you :-) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1529857/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
