[Python-apps-team] Bug#731582: canto: command line injection in urls inside feeds

the_walrus_88 at manlymail.net the_walrus_88 at manlymail.net
Sat Dec 7 02:02:06 UTC 2013 

Package: canto
Version: 0.7.10-4
Severity: important
Tags: security

Dear Maintainer,

I have just found a command line injection security vuln in
canto. The program fetches feeds from configured sites, and the
feeds contain URLs that people may want to visit. If a user
starts canto and chooses to go to one URL from one feed, canto
constructs a sh command line to visit the URL, but it doesn't
remove metachars. Therefore a malicious feed (owner turned bad,
man in the middle attack if fetched with http) can put in bad
data in all link and guid elements of the feed and use this to
hack the user when they visit some of the URLs. Not good. See my
conf.py and evil.rss files for an example. Sorry for my English!

Regards,
the_walrus_88

-- System Information:
Debian Release: 7.2
   APT prefers stable-updates
   APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages canto depends on:
ii  libc6              2.13-38
ii  libncursesw5       5.9-10
ii  libtinfo5          5.9-10
ii  python             2.7.3-4+deb7u1
ii  python-chardet     2.0.1-2
ii  python-feedparser  5.1.2-1
ii  python2.7          2.7.3-6

canto recommends no packages.

canto suggests no packages.

-- no debconf information



-------------------------------------------------

VFEmail.net - http://www.vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: evil.rss
Type: application/rss+xml
Size: 1526 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/python-apps-team/attachments/20131206/7bc8fcce/attachment.bin>
-------------- next part --------------
add("http://localhost/evil.rss")
link_handler("elinks \"%u\"", text=True)

More information about the Python-apps-team mailing list