exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Pygments FontManager._get_nix_font_path Shell Injection

Pygments FontManager._get_nix_font_path Shell Injection
Posted Oct 2, 2015
Authored by Javantea

Pygments FontManager._get_nix_font_path version 1.2.2-2.0.2 suffers from a shell injection vulnerability.

tags | advisory, shell
SHA-256 | 3397a1c355830a482e027b8cd95b6bf167ba0bb49d1180a4c3f8616aa279a2e4

Pygments FontManager._get_nix_font_path Shell Injection

Change Mirror Download
Shell Injection in Pygments FontManager._get_nix_font_path

Product: Pygments
Version: 1.2.2-2.0.2 497:fe62167596bb to 3693:655dbebddc23 Tue Nov 06 17:30:45 2007 +0000 to Aug 21, 2015.
Website: http://pygments.org/
Bitbucket: https://bitbucket.org/birkenfeld/pygments-main
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Discovery: Aug 21, 2015

An unsafe use of string concatenation in a shell string occurs in FontManager. If the developer allows the attacker to choose the font and outputs an image, the attacker can execute any shell command on the remote system. The name variable injected comes from the constructor of FontManager, which is invoked by ImageFormatter from options.

pygments/formatters/img.py:82

def _get_nix_font_path(self, name, style):
try:
from commands import getstatusoutput
except ImportError:
from subprocess import getstatusoutput
exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
(name, style))
if not exit:
lines = out.splitlines()
if lines:
path = lines[0].strip().strip(':')
return path

https://bitbucket.org/birkenfeld/pygments-main/src/655dbebddc23943b8047b3c139c51c22ef18fd91/pygments/formatters/img.py?at=default&fileviewer=file-view-default#img.py-82

Recommendation

shlex.quote should be used to ensure that an attacker cannot inject commands.
https://docs.python.org/3/library/shlex.html#shlex.quote

A pull request has been made since the author did not respond to e-mail, Twitter, or IRC.
https://bitbucket.org/birkenfeld/pygments-main/pull-requests/501/fix-shell-injection-in/diff

Regards,
Javantea


Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close