tunapie using os.system on unsanitized strings retrieved from Internet
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| tunapie (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: tunapie
While trying out tunapie (which is written in Python), I noticed an error message from the shell (I believe) mentioning something about mismatched quotes. I didn't save the message, unfortunately, but it did inspire me to look a bit at the source.
It appears that os.system is being called on (unsanitized) strings, parts of which are retrieved from web sites. The risk may be somewhat mitigated by the fact that only apparently a couple of well-know sites are hit (not sure about this), but still this seems like an excessive risk.
An initial improvement would be to rewrite the code without os.system, preferably using Python 2.4's new subprocess module (with shell=False) instead. The calls to os.spawnv might also be a problem--I'm not sure. (I'm not that crazy about the 'rm -fr' either.)
Description: Ubuntu jaunty (development branch)
Release: 9.04
tunapie:
Installed: 2.1.13-1
Candidate: 2.1.13-1
Version table:
*** 2.1.13-1 0
500 http://
100 /var/lib/
| Changed in tunapie (Ubuntu): | |
| status: | New → Confirmed |
| Kees Cook (kees) wrote | #1 |
| Changed in tunapie (Ubuntu): | |
| status: | Confirmed → Triaged |
| visibility: | private → public |
| Changed in tunapie (Ubuntu): | |
| status: | Triaged → Fix Released |
CVE-2009-1253 - insecure temp files
CVE-2009-1254 - os.system()