Bug 464510 - gjots2 uses un-escaped gpg pass-phrase in shell command(s)
gjots2 uses un-escaped gpg pass-phrase in shell command(s)
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: gjots2 (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Radek Vokal
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-29 09:57 EDT by Steven Bakker
Modified: 2009-01-14 22:06 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-07 07:50:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steven Bakker 2008-09-29 09:57:13 EDT
Description of problem:

When trying to open a gpg encrypted file with gjots2, the program asks for a passphrase and subsequently uses the (unescaped) answer in a popen() command line:

   f = os.popen("echo " + self.gui.password + " | gpg ...");

(lines 310 and 313 of lib/file.py)

This can cause errors from the shell if the actual pass-phrase contains shell meta-characters and can lead to unintentional side-effects.

Version-Release number of selected component (if applicable):

How reproducible:

Always.

Steps to Reproduce:
1. Use gjots2 to open a gpg encrypted file.
2. In the password dialog, enter: ;touch /tmp/U-R-HACKED;echo

Actual results:

There is now a file U-R-HACKED in /tmp.

Expected results:

No side effects.

Additional info:

This is in lib/file.py in the source distribution around lines 310 and 313. I don't know enough Python to suggest a good fix for this.

It's probably not so much a security issue as a possibly nasty bug. If my password contains a single quote, or a "$", or any other shell meta-character, I will not be able to decrypt my file.

No idea if this has been fixed in 2.3.7 (which is the latest version).
Comment 1 Bob Hepple 2008-11-07 03:03:28 EST
fixed in 2.3.8
Comment 2 Fedora Update System 2009-01-09 04:56:26 EST
gjots2-2.3.8-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/gjots2-2.3.8-1.fc10
Comment 3 Fedora Update System 2009-01-14 22:06:51 EST
gjots2-2.3.8-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.