CVE-2015-0853: insecure use of os.system()

Debian Bug report logs - #798863
CVE-2015-0853: insecure use of os.system()

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luke Faraone <lfaraone@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2015-0853: insecure use of os.system()

Date: Sun, 13 Sep 2015 16:40:55 +0000

Package: svn-workbench
Version: 1.6.8-2.1
Severity: grave
Tags: security upstream
Justification: user security hole

SYNOPSIS:
        If a user was tricked into using the "Command Shell" menu item
        while in a directory with a specially-crafted name,
        svn-workbench would execute arbitrary commands with the
        permissions of the user.

STEPS TO REPRODUCE:
     1. Add "https://github.com/lfaraone/turbulent-octo-garbanzo" as a
        project in svn-workbench
     2. Checkout the project
     3. Navigate to "trunk/$(xeyes)"
     4. Click "Actions", then "Command Shell"

The `xeyes` program (if installed on your system) should start.

Source/wb_shell_unix_commands.py starting at line 53:
        def ShellOpen( app, project_info, filename ):
            app.log.info( T_('Open %s') % filename )
            cur_dir = os.getcwd()
            try:

        wb_platform_specific.uChdir( project_info.getWorkingDir() )
                os.system( "xdg-open '%s'" % filename )
            finally:
                wb_platform_specific.uChdir( cur_dir )

The code should instead start a subprocess in a secure way, such as
using subprocess.call().

Message #12 received at 798863-close@bugs.debian.org (full text, mbox, reply):

From: Hideki Yamane <henrich@debian.org>

To: 798863-close@bugs.debian.org

Subject: Bug#798863: fixed in svn-workbench 1.7.0-1

Date: Wed, 11 Nov 2015 11:21:01 +0000

Source: svn-workbench
Source-Version: 1.7.0-1

We believe that the bug you reported is fixed in the latest version of
svn-workbench, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 798863@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hideki Yamane <henrich@debian.org> (supplier of updated svn-workbench package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 Nov 2015 20:10:08 +0900
Source: svn-workbench
Binary: svn-workbench
Architecture: source all
Version: 1.7.0-1
Distribution: unstable
Urgency: medium
Maintainer: Hideki Yamane <henrich@debian.org>
Changed-By: Hideki Yamane <henrich@debian.org>
Description:
 svn-workbench - Workbench for Subversion
Closes: 798863
Changes:
 svn-workbench (1.7.0-1) unstable; urgency=medium
 .
   * New upstream release
     - include fix for CVE-2015-0853: insecure use of os.system()
       (Closes: #798863)
   * debian/patches
     - drop: unnecessary force_wx2.8.patch, sicne upstream explictly choose 2.8
       and 3.0, specifying minimum version 2.8 is not enough.
     - refresh patches
   * debian/rules
     - just ignore configure
     - remove unnecessary --with python2
Checksums-Sha1:
 c7a2653ba19a26cb87bbd6c0bee8c1bccdf905f0 1892 svn-workbench_1.7.0-1.dsc
 94bf35d420ffb9d9bdfd6290b139b7151b391e89 608898 svn-workbench_1.7.0.orig.tar.gz
 d029c58b19e4b88dc19ae4e8767a5740bb4dd5d6 5980 svn-workbench_1.7.0-1.debian.tar.xz
 a045f7644ec6534ab1a8ded552688f407d90d875 503036 svn-workbench_1.7.0-1_all.deb
Checksums-Sha256:
 151f25f1fe5e9e9b9d49859aaa62cb1d147e244616ae73848db1dab4b107c1b3 1892 svn-workbench_1.7.0-1.dsc
 a2c7aece2b9755c9971dac9e977e72ed0a48944c7712373ee96328d2ffb0b60a 608898 svn-workbench_1.7.0.orig.tar.gz
 bdfb5e92ff5d684ae9b18e633d39baa1aba12973d74cb28cc3b46b7c7076597d 5980 svn-workbench_1.7.0-1.debian.tar.xz
 d3213eb97663c4aff4d5c3fcefe95eefb93d71c568f92b65f3262308d9fd0ffb 503036 svn-workbench_1.7.0-1_all.deb
Files:
 b9bc5b28e99fdc0471ff8b0b68c1e508 1892 devel optional svn-workbench_1.7.0-1.dsc
 d7ae77673faf67757a17515af3e3faf4 608898 devel optional svn-workbench_1.7.0.orig.tar.gz
 f10cbca476ded324681f41ce17fcbb16 5980 devel optional svn-workbench_1.7.0-1.debian.tar.xz
 a18b33d3eab79725f097439868866bd4 503036 devel optional svn-workbench_1.7.0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWQyKFAAoJEF0yjQgqqrFAmGsQALbE+G7me6PnIACumU3X2aUr
JbvWI2a3GJcOSNRqbwn4jZ2boO4pFAM4DTIa6vpfZtV0LESXNKG5fSNhc1hMyg4j
fBWOxs187R9MA01jdqsQz9YG36/ijINq2p9GeMMQDF2XeX6ITjQGX2AXCQezQbMO
mM7BbcXg0Wa0Q6eyqxGhQrzytSwz/HrNDzcjcxKHpF6+Xm275oiP7gVzG1zApN3r
bXpm473d7rqmbPjT80+PbPRWSBNnkQIUrPW8FJu5fVHbUuMIdQ70TCkWB8is2Ial
QffQ/tv0Dbb0k7lVcdSzOIeLHVrR7zxw0Q3N7GC7V/HDt4izkdxkwipxmHZYKbNE
05Y1F++28TmoysTHAbO/WZP2HeZRwR9QCBlI6Zi7KTx3c/Yppdi58qSPehjSg97B
0vh9Q1L742GPXarmwf0a/YjNuHmyFcquqdrlT9mLYoVrowpYGPsgFSHUCuM2CfyE
Ig3jbBi4C5kWEPwZJVYhhFiN+mzLkpuf1XAOr2sA31ctBXdv2vJO8i4kWyRnJfpp
u5b2EYYk6YyONwCYEmhh5EddWIo0e55MGN4j9Tx1BCUHV709DULyPnFYaqko1y89
lg4hSFQni7088nFPuUrscrN+VlkxlUs5gbBUttJDJ9jLS1N/beD1NaYgfzRTO741
axrIJqzhNL2zHFUiqTYH
=Q/pQ
-----END PGP SIGNATURE-----

Message #17 received at 798863@bugs.debian.org (full text, mbox, reply):

From: "FedEx 2Day" <mitchell.mcallister@ideal-voyage.com>

To: 798863@bugs.debian.org

Subject: Problems with item delivery, n.00501819

Date: Thu, 13 Oct 2016 21:53:06 +0200

[Message part 1 (text/plain, inline)]

Dear Customer,

This is to confirm that one or more of your parcels has been shipped.
Shipment Label is attached to email.

Sincerely,
Mitchell Mcallister,
Sr. Operation Manager.

[FedEx_ID_00501819.zip (application/zip, attachment)]

Message #22 received at 798863@bugs.debian.org (full text, mbox, reply):

From: "FedEx Standard Overnight" <raymond.kessler@myhollandphoto.waweb.nl>

To: 798863@bugs.debian.org

Subject: Problems with item delivery, n.00492166

Date: Sat, 15 Oct 2016 14:12:13 +0000

[Message part 1 (text/plain, inline)]

Dear Customer,

We could not deliver your parcel.
Shipment Label is attached to this email.

Warm regards,
Raymond Kessler,
Sr. Delivery Manager.

[00492166.zip (application/zip, attachment)]

Message #27 received at 798863@bugs.debian.org (full text, mbox, reply):

From: "FedEx 2Day A.M." <enrique.floyd@liping.es>

To: 798863@bugs.debian.org

Subject: Unable to deliver your item, #00944108

Date: Mon, 17 Oct 2016 08:04:05 +0000

[Message part 1 (text/plain, inline)]

Dear Customer,



We could not deliver your item.

Shipment Label is attached to this email.



Regards,

Enrique Floyd,

Station Manager.

[Label_00944108.zip (application/zip, attachment)]

Message #32 received at 798863@bugs.debian.org (full text, mbox, reply):

From: "FedEx Standard Overnight" <derrick.mcallister@tcnsny.com>

To: 798863@bugs.debian.org

Subject: Shipment delivery problem #00416087

Date: Wed, 19 Oct 2016 08:06:00 -0400

[Message part 1 (text/plain, inline)]

Dear Customer,

This is to confirm that one or more of your parcels has been shipped.
You can review complete details of your order in the find attached.

Yours trully,
Derrick Mcallister,
FedEx Delivery Agent.

[Delivery_Notification_00416087.zip (application/zip, attachment)]

Message #37 received at 798863@bugs.debian.org (full text, mbox, reply):

From: "FedEx SmartPost" <barry.everett@neyzaenterprises.com>

To: 798863@bugs.debian.org

Subject: Delivery Notification, ID 00525143

Date: Tue, 25 Oct 2016 07:26:25 +0000

[Message part 1 (text/plain, inline)]

Dear Customer,

This is to confirm that one or more of your parcels has been shipped.
Please, open email attachment to print shipment label.

Thanks and best regards,
Barry Everett,
Sr. Support Manager.

[FedEx_ID_00525143.zip (application/zip, attachment)]

Message #38 received at 798863-close@bugs.debian.org (full text, mbox, reply):

From: "FedEx 2Day" <vernon.dean@lmbc.fr>

To: 798863-close@bugs.debian.org

Subject: We could not deliver your parcel, #0000226635

Date: Fri, 28 Oct 2016 03:55:00 +0000

[Message part 1 (text/plain, inline)]

Dear Customer,

This is to confirm that one or more of your parcels has been shipped.
Please, open email attachment to print shipment label.

Kind regards,
Vernon Dean,
Station Agent.

[0000226635.zip (application/zip, attachment)]

Message #39 received at 798863-close@bugs.debian.org (full text, mbox, reply):

From: "FedEx 2Day A.M." <stephen.boone@closebond.com>

To: 798863-close@bugs.debian.org

Subject: Shipment delivery problem #000776102

Date: Sat, 29 Oct 2016 13:31:32 +0900

[Message part 1 (text/plain, inline)]

Dear Customer,



This is to confirm that one or more of your parcels has been shipped.

Please, open email attachment to print shipment label.



Kind regards,

Stephen Boone,

Sr. Operation Agent.

[FedEx_ID_000776102.zip (application/zip, attachment)]

Message #44 received at 798863@bugs.debian.org (full text, mbox, reply):

From: "FedEx International MailService" <wayne.fischer@nybagelcafedoral.com>

To: 798863@bugs.debian.org

Subject: Shipment delivery problem #00000720603

Date: Sun, 30 Oct 2016 04:19:04 +0000

[Message part 1 (text/plain, inline)]

Dear Customer,

We could not deliver your item.
Shipment Label is attached to this email.

Kind regards,
Wayne Fischer,
Sr. Station Manager.

[Label_00000720603.zip (application/zip, attachment)]

Message #49 received at 798863@bugs.debian.org (full text, mbox, reply):

From: "FedEx International Ground" <gary.schneider@sacramenti.com.pl>

To: 798863@bugs.debian.org

Subject: Problem with parcel shipping, ID:0000405939

Date: Mon, 31 Oct 2016 16:01:36 +0100

[Message part 1 (text/plain, inline)]

Dear Customer,

We could not deliver your item.
Shipment Label is attached to email.

Thanks and best regards,
Gary Schneider,
Sr. Station Agent.

[FedEx_ID_0000405939.zip (application/zip, attachment)]

Message #50 received at 798863-close@bugs.debian.org (full text, mbox, reply):

From: "FedEx Standard Overnight" <roberto.arthur@pholamed.co.za>

To: 798863-close@bugs.debian.org

Subject: Courier was unable to deliver the parcel, ID00619585

Date: Wed, 2 Nov 2016 06:34:57 +0000

[Message part 1 (text/plain, inline)]

Dear Customer,

Your parcel has arrived at November 01. Courier was unable to deliver the parcel to you.
Shipment Label is attached to email.

Kind regards,
Roberto Arthur,
FedEx Station Agent.

[00619585.zip (application/zip, attachment)]

Message #55 received at 798863@bugs.debian.org (full text, mbox, reply):

From: "FedEx International MailService" <anthony.meier@avicompanies.com>

To: 798863@bugs.debian.org

Subject: Unable to deliver your item, #000141248

Date: Wed, 2 Nov 2016 14:02:06 -0400

[Message part 1 (text/plain, inline)]

Dear Customer,



We could not deliver your parcel.

Please, open email attachment to print shipment label.



Yours sincerely,

Anthony Meier,

FedEx Operation Agent.

[FedEx_000141248.zip (application/zip, attachment)]

Message #56 received at 798863-close@bugs.debian.org (full text, mbox, reply):

From: "FedEx 2Day" <daryl.hodges@markonestorovic.com>

To: 798863-close@bugs.debian.org

Subject: Shipment delivery problem #00000875036

Date: Mon, 7 Nov 2016 12:15:19 +0000

[Message part 1 (text/plain, inline)]

Dear Customer,

This is to confirm that one or more of your parcels has been shipped.
Shipment Label is attached to this email.

Sincerely,
Daryl Hodges,
Sr. Support Manager.

[Delivery_Notification_00000875036.zip (application/zip, attachment)]

Send a report that this bug log contains spam.