Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1442162859.9920.11.camel@debian.org>
Date: Sun, 13 Sep 2015 16:47:39 +0000
From: Luke Faraone <lfaraone@...ian.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2015-0853: insecure use of os.system() in svn-workbench

Hello,

I discovered that, in the SVN GUI application "svn-workbench", if a user
was tricked into using the "Command Shell" menu item while in a
directory with a specially-crafted name, svn-workbench would execute
arbitrary commands with the permissions of the user.

STEPS TO REPRODUCE:
     1. Add "https://github.com/lfaraone/turbulent-octo-garbanzo" as a
        project in svn-workbench
     2. Checkout the project
     3. Navigate to "trunk/$(xeyes)"
     4. Click "Actions", then "Command Shell"

The `xeyes` program (if installed on your system) should start.

Source/wb_shell_unix_commands.py starting at line 53:
        def ShellOpen( app, project_info, filename ):
            app.log.info( T_('Open %s') % filename )
            cur_dir = os.getcwd()
            try:

        wb_platform_specific.uChdir( project_info.getWorkingDir() )
                os.system( "xdg-open '%s'" % filename )
            finally:
                wb_platform_specific.uChdir( cur_dir )

The code should instead start a subprocess in a secure way, such as
using subprocess.call().

CVE-2015-0853 has been assigned for this issue. 

This issue affects at least version 1.6.2 (older versions may be
affected) through the current latest version of svn-workbench at time of
writing.

Upstream bug: http://pysvn.tigris.org/issues/show_bug.cgi?id=202
Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798863
Ubuntu bug: https://launchpad.net/bugs/1495268

Regards,
Luke Faraone

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.