Package: svn-workbench
Version: 1.6.8-2.1
Severity: grave
Tags: security upstream
Justification: user security hole
SYNOPSIS:
If a user was tricked into using the "Command Shell" menu item
while in a directory with a specially-crafted name,
svn-workbench would execute arbitrary commands with the
permissions of the user.
STEPS TO REPRODUCE:
1. Add "https://github.com/lfaraone/turbulent-octo-garbanzo"; as a
project in svn-workbench
2. Checkout the project
3. Navigate to "trunk/$(xeyes)"
4. Click "Actions", then "Command Shell"
The `xeyes` program (if installed on your system) should start.
Source/wb_shell_unix_commands.py starting at line 53:
def ShellOpen( app, project_info, filename ):
app.log.info( T_('Open %s') % filename )
cur_dir = os.getcwd()
try:
wb_platform_specific.uChdir( project_info.getWorkingDir() )
os.system( "xdg-open '%s'" % filename )
finally:
wb_platform_specific.uChdir( cur_dir )
The code should instead start a subprocess in a secure way, such as
using subprocess.call().
