Ubuntu
pluma package

Pluma Plugin "Snippets" Manager - Shell Command Injection

Bug #1466633 reported by Bernd Dietzel
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu MATE
Fix Released
High
Unassigned
gedit
New
Undecided
Unassigned
pluma (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

The Plugin "Snippets" in Pluma 1.8.1 is vulnerabe to Shell Commands.

If you activate the "snippet" Plugin , you can use "tools -> manage snippets" from the main menu of pluma.

Example :
========
If you import a snippet with the manager wich has a filename like this :

";xterm;"#Snippets Archive.tar.gz

the Shell command ";xterm;"# will be injected and will execute the program xterm as a exploid demo.

reason is a bug in the Importer.py Python script :
/usr/lib/x86_64-linux-gnu/pluma/plugins/snippets/Importer.py
https://github.com/mate-desktop/pluma/blob/master/plugins/snippets/snippets/Importer.py

        def import_archive(self, cmd):
                dirname = tempfile.mkdtemp()
                status = os.system('cd %s; %s "%s"' % (dirname, cmd, self.filename))

The os.system command puts the filename in "%s" to a shell and executes it.
============================================================

The "dirname" should be checked, too.

So, please do not use os.system in the Importer an Exporter Scripts,
use Subprocess.Popen() with Shell=False
or use quote() to workaround this Bug.

Thanks :-)

---
Remark :
Because of there seems to be an other Bug (1357735) in pluma,
i could not enable the python snippets in Kubuntu 15.04 or Ubuntu-Mate 15.04.
So i attached a screenshot where i reproduced it in an other OS called "HardenedBSD" with Mate Desktop.
----

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: pluma 1.8.1+dfsg1-2
ProcVersionSignature: Ubuntu 3.19.0-21.21-generic 3.19.8
Uname: Linux 3.19.0-21-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: amd64
CurrentDesktop: KDE
Date: Thu Jun 18 21:24:29 2015
InstallationDate: Installed on 2015-05-15 (33 days ago)
InstallationMedia: Kubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
SourcePackage: pluma
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :
Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

Same problem with gedit 2.30.4 in Linux Mint 17.1 Rebecca

Watch my (german) Shell Command Injection Demo Video at Timecode 10:00min

https://www.youtube.com/watch?v=abP76r-2js0

Bernd Dietzel (l-ubuntuone1104)
information type: Public → Public Security
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in pluma (Ubuntu):
status: New → Incomplete
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Also, I question the security relevancy of this report. It requires quite a few actions from the user and I doubt an attacker could pull such an attack off. I'd suggest taking this issue to the upstream project but feel like it has negligible security impact.

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

I attached a patch witch solves the problem.
I have tested it with gedit 3.10.4 and Ubuntu 15.10
Should be the same in pluma.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Patch for gedit importer.py" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Martin Wimpress  (flexiondotorg)
Changed in pluma (Ubuntu):
status: Incomplete → Fix Committed
Martin Wimpress  (flexiondotorg)
Changed in ubuntu-mate:
status: New → In Progress
Martin Wimpress  (flexiondotorg)
Changed in ubuntu-mate:
importance: Undecided → High
Martin Wimpress  (flexiondotorg)
Changed in ubuntu-mate:
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pluma - 1.12.2-2

---------------
pluma (1.12.2-2) unstable; urgency=medium

  [ Martin Wimpress ]
  * debian/patches:
    + Add 0000_prevent_shell_code_injection.patch. Closes (LP: #1466633)

  [ Mike Gabriel ]
  * debian/control:
    + Bump Standards: to 3.9.7. No changes needed.

 -- Mike Gabriel <email address hidden> Mon, 21 Mar 2016 22:08:23 +0100

Changed in pluma (Ubuntu):
status: Fix Committed → Fix Released
Martin Wimpress  (flexiondotorg)
Changed in ubuntu-mate:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.