Bug 464510 - gjots2 uses un-escaped gpg pass-phrase in shell command(s)
Summary: gjots2 uses un-escaped gpg pass-phrase in shell command(s)
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: gjots2
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Radek Vokál
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-29 13:57 UTC by Steven Bakker
Modified: 2009-01-15 03:06 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-11-07 12:50:30 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Steven Bakker 2008-09-29 13:57:13 UTC
Description of problem:

When trying to open a gpg encrypted file with gjots2, the program asks for a passphrase and subsequently uses the (unescaped) answer in a popen() command line:

   f = os.popen("echo " + self.gui.password + " | gpg ...");

(lines 310 and 313 of lib/file.py)

This can cause errors from the shell if the actual pass-phrase contains shell meta-characters and can lead to unintentional side-effects.

Version-Release number of selected component (if applicable):

How reproducible:

Always.

Steps to Reproduce:
1. Use gjots2 to open a gpg encrypted file.
2. In the password dialog, enter: ;touch /tmp/U-R-HACKED;echo

Actual results:

There is now a file U-R-HACKED in /tmp.

Expected results:

No side effects.

Additional info:

This is in lib/file.py in the source distribution around lines 310 and 313. I don't know enough Python to suggest a good fix for this.

It's probably not so much a security issue as a possibly nasty bug. If my password contains a single quote, or a "$", or any other shell meta-character, I will not be able to decrypt my file.

No idea if this has been fixed in 2.3.7 (which is the latest version).

Comment 1 Bob Hepple 2008-11-07 08:03:28 UTC
fixed in 2.3.8

Comment 2 Fedora Update System 2009-01-09 09:56:26 UTC
gjots2-2.3.8-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/gjots2-2.3.8-1.fc10

Comment 3 Fedora Update System 2009-01-15 03:06:51 UTC
gjots2-2.3.8-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.