Skip to content

385ahmet/pardus-security-vulnerability

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

PARDUS Security Audit — 58 Repository Vulnerability Database

Bu repository, Pardus GNU/Linux işletim sistemine ait 58 GitHub reposunun tam güvenlik denetimini içerir. Amaç, açık kaynak bir dağıtımın kod tabanındaki potansiyel güvenlik açıklarını tespit etmek ve sorumlu ifşa (responsible disclosure) yoluyla bildirmektir.


Kurulum & Çalıştırma

Bağımlılıklar (Dependencies)

# Python 3.8+ (sistemde zaten var)
# pyotp — TOTP hesaplama için (OPSİYONEL, yoksa manuel hesaplar)
#   Pardus/Debian: sudo apt install python3-pyotp
#   pip ile (sistem paketlerini bozmaz): pip install --user pyotp
#   Sanal ortam: python3 -m venv venv && source venv/bin/activate && pip install pyotp

İndirme

git clone https://github.com/385ahmet/pardus-security-vulnerability.git
cd pardus-security-vulnerability

Scanner'ı Tek Başına Çalıştırma

python3 scanner.py --path /hedef/dizin    # Belirtilen dizini tara
python3 scanner.py                        # Varsayılan: repos/ dizinini tara

PoC Testlerini Çalıştırma

python3 test_all.py        # 11 güvenlik açığı PoC'si
python3 test_priv_esc.py   # 8 yetki yükseltme PoC'si

Önemli Uyarı

Bu araçlar etik hacking amaçlıdır. Sadece kendi sisteminizde veya izin aldığınız sistemlerde kullanın. Bulgular sorumlu ifşa ile Pardus geliştiricilerine bildirilmiştir.


Kapsam (Scope)

Pardus GitHub organizasyonundaki (https://github.com/Pardus-Linux-Developers) tüm repo'lar tarandı:

Kategori Adet
Uygulama (Python/GTK) ~30
Tema & İkon paketleri ~12
Sistem araçları (C/C++) ~6
Web sitesi & dökümantasyon ~4
Kernel modülleri ~2
Diğer ~4
Toplam 58

Metodoloji

Her repo için geliştirilen scanner.py aracıyla 23 farklı güvenlik kategorisinde statik analiz yapıldı:

  • Command Injection: os.system(), subprocess (shell=True), os.popen() ile değişken interpolasyonu
  • Privilege Escalation: Polkit policy'leri (auth_admin_keep, allow_active=yes), pkexec kullanımı
  • Deserialization: pickle.load() (RCE riski)
  • Path Traversal: open() ile concat edilmiş yollar
  • Buffer Overflow: strcpy(), strcat() C fonksiyonları
  • TOCTOU: Time-of-check time-of-use yarış koşulları
  • Hardcoded Credentials: Açık metin şifre/kimlik bilgileri
  • XSS/Markup Injection: GTK set_markup() ile kullanıcı girdisi
  • Weak RNG: rand(), random modülü
  • Namespace Pollution: Wildcard import (from x import *)

Analiz edilen dosya türleri: .py, .sh, .c, .cpp, .js, .policy, .conf, .desktop, .xml, .ui, .glade, .json, .yml, .yaml, .toml, .ini, .cfg, .rules, .service, .socket, .timer, .pc, .prl, .pro, .qml, .java, .vala, .rb, .php

Tüm bulgular elle doğrulanmış, yanlış pozitifler (false positive) elenmiştir.


Özet (Summary)

Severity Count Açıklama
Critical 1 Uzaktan kod çalıştırma (pickle deserialization)
High 85 Yetki yükseltme, komut enjeksiyonu, buffer overflow
Medium 229 Markup injection, namespace pollution, weak RNG
Total 315

En Çok Bulgu İçeren Repo'lar

Repo Findings Açıklama
pardus-software 93 Paket yöneticisi — çoğunlukla set_markup
pardus-installer 36 Sistem kurucusu — os.system injection
pardus-update 30 Güncelleme yöneticisi — set_markup
pardus-mycomputer 19 Dosya yöneticisi — path traversal
pardus-package-installer 19 Paket kurucusu — set_markup
pardus-power-manager-advanced 18 Güç yönetimi — wildcard imports
pardus-lightdm-greeter 14 Giriş ekranı — hardcoded credential
pardus-daily-wallpaper 12 Duvar kağıdı — JS template injection
pardus-pen-old 9 Ekran görüntüsü — buffer overflow
pardus-nvidia-installer 6 Nvidia kurucusu — auth_admin_keep

Bulgu Türlerine Göre Dağılım

Type Count Risk
GTK set_markup with user input risk 191 Medium (XSS benzeri)
wildcard import - namespace pollution 33 Medium
os.system with variable interpolation 14 High
auth_admin_keep policy 13 High
Possible hardcoded credential 11 High
open with concat - path traversal risk 8 High
subprocess.run with shell=True 8 High
template literal with variables (JS) 7 Medium
pkexec usage - check argument validation 6 Medium
strcat - buffer overflow 6 High
subprocess.Popen with shell=True 5 High
subprocess.run with shell concat 3 High
strcpy - buffer overflow 3 High
random module (not cryptographically secure) 3 Medium
pickle.load() deserialization 1 Critical
os.popen with variable interpolation 1 High
TOCTOU: exists then open 1 High
Weak random number generation (C) 1 Medium

Öne Çıkan Kritik Bulgular

🔴 Critical: Pickle Deserialization RCE

  • Repo: eta-otp-lock
  • Dosya: src/MainWindow.py:98
  • Etki: pickle.load() ile saldırgan kontrolündeki dosyadan okuma → uzaktan kod çalıştırma
  • PoC: test_all.py

🔴 High: 5 Adet Passwordsüz Yetki Yükseltme

Aşağıdaki polkit politikaları <allow_active>yes</allow_active> içerir — hiçbir şifre gerektirmez:

Paket Action Çalıştırılan
pardus-software AutoAptUpdate apt update root yetkisiyle
pardus-update apt-update apt update root yetkisiyle
pardus-update settings-write Root dosya yazma
pardus-about system-info ACPI/system komutları
pardus-power-manager-old ppm Tam root GUI

🔴 High: 11 Privilege Escalation Path

Detaylı liste için Privilege Escalation bölümüne bakın.


Tüm Bulgular (Detaylı Liste)


ALL FINDINGS BY REPO

eta-cinnamon-greeter (1 findings)

Medium

# File Line Type Match Context
1 src/utils.py 28 GTK set_markup with user input risk set_markup( position.center) self.set_title(title) self.set_markup(text) def show(self):

eta-menu (2 findings)

Medium

# File Line Type Match Context
1 src/MainWindow.py 228 GTK set_markup with user input risk set_markup( user_real_name = username self.ui_username_label.set_markup("{}".format(user_real_na
2 src/Utils.py 131 GTK set_markup with user input risk set_markup( position.center) self.set_title(title) self.set_markup(text) def show(self):

eta-otp-lock (4 findings)

Critical

# File Line Type Match Context
1 src/MainWindow.py 98 pickle.load() deserialization pickle.load( with open(filename, "rb") as f: data = pickle.load(f) if dat

High

# File Line Type Match Context
1 pam/pam_otp.py 32 Possible hardcoded credential Password: ")) pamh.authtok = conv.resp except: r = pamh.conversation(pamh.message(pamh.pam_prompt_echo_off, "password: ")) pamh.authtok =
2 src/actions.py 27 Possible hardcoded credential secret="JBSWY3DPEHPK3PXP return line.split(":")[0] return none def save(user, secret="jbswy3dpehpk3pxp"): config[use

Medium

# File Line Type Match Context
1 src/MainWindow.py 7 random module (not cryptographically secure) import random gi import sys import os import threading import subprocess import random import base64 import pyotp

eta-qr-reader (1 findings)

Medium

# File Line Type Match Context
1 src/MainWindow.py 249 GTK set_markup with user input risk set_markup( self.dialog.response(gtk.responsetype.ok) label.set_markup(formatted_message) label

libpardus (2 findings)

High

# File Line Type Match Context
1 libpardus/bin/process/command.py 4 subprocess.Popen with shell=True subprocess.Popen(command, shell=True import subprocess def shell_exec(command): return subprocess.popen(command, shell=true, stdout=

Medium

# File Line Type Match Context
1 libpardus/bin/Ptk/Label.py 32 GTK set_markup with user input risk set_markup( de[ellipsize]) if len(markup) > 0: self.set_markup(markup) self.set_xali

pardus-about (1 findings)

High

# File Line Type Match Context
1 polkit/tr.org.pardus.pkexec.pardus-about.policy 18 auth_admin_keep policy auth_admin_keep ow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> </def

pardus-boot-repair (1 findings)

Medium

# File Line Type Match Context
1 src/Main.py 769 TOCTOU: exists then open os.path.exists('/sys/block/{}/removable'.format(block)) and open ', 'zram', 'fd')): continue if os.path.exists('/sys/block/{}/removable'

pardus-daily-wallpaper (12 findings)

High

# File Line Type Match Context
1 [email protected]/infoDialog.js 114 template literal with variables (JS) ``© ${metadata.copyright}` t copyrightlabel = new st.label({ text: © ${metadata.copyright},
2 [email protected]/prefs.js 93 template literal with variables (JS) ``${this._metadata.title || _('Untitled')}` const titlelabel = new gtk.label({ label: `${this._metadata.title || _('untitled')}</
3 [email protected]/prefs.js 151 template literal with variables (JS) ``© ${this._metadata.copyright}` nst copyrightlabel = new gtk.label({ label: © ${this._metadata.copyright},
4 [email protected]/prefs.js 227 template literal with variables (JS) ``[Prefs] Error loading metadata for ${sourceId}` e(contents)); } catch (e) { logerror(e, `[prefs] error loading metadata for ${so
5 [email protected]/prefs.js 281 template literal with variables (JS) ``${_('Overall Progress')}` rogress const overalllabel = new gtk.label({ label: <b>${_('overall progress')}</b>, use_m
6 [email protected]/prefs.js 596 template literal with variables (JS) ``Failed to parse or compare dates: ${nameA}` tea); } catch (e) { logerror(e, `failed to parse or compare dates: ${nam
7 [email protected]/settings.js 150 template literal with variables (JS) ``changed::${key}` ll; } return this._settings.connect(changed::${key}, callback); }

Medium

# File Line Type Match Context
1 [email protected]/extension.js 19 wildcard import - namespace pollution from 'resource:///org/gnome/shell/extensions/extension.js'; import * r: gpl-3.0-or-later */ import { extension, gettext as _ } from 'resource:///org/gnome/shell/extens
2 [email protected]/indicator.js 13 wildcard import - namespace pollution from 'gi://Graphene'; import * bject'; import clutter from 'gi://clutter'; import graphene from 'gi://graphene'; import * as popupm
3 [email protected]/indicator.js 14 wildcard import - namespace pollution from 'resource:///org/gnome/shell/ui/popupMenu.js'; import * import graphene from 'gi://graphene'; import * as popupmenu from 'resource:///org/gnome/shell/ui/pop
4 [email protected]/infoDialog.js 12 wildcard import - namespace pollution from 'gi://Clutter'; import * om 'gi://gio'; import glib from 'gi://glib'; import clutter from 'gi://clutter'; import * as modald
5 [email protected]/worker.js 9 wildcard import - namespace pollution from 'gi://Gio'; import * -3.0-or-later */ import glib from 'gi://glib'; import gio from 'gi://gio'; import * as main from '

pardus-domain-joiner (4 findings)

High

# File Line Type Match Context
1 src/MainWindow.py 577 pkexec usage - check argument validation pkexec d atus == 32512 or status == 126: # cancelled pkexec dialog self.main_

Medium

# File Line Type Match Context
1 src/MainWindow.py 263 GTK set_markup with user input risk set_markup( _escape_text(self.last_step_logs.strip()) label.set_markup(safe_logs) scrol
2 src/MainWindow.py 307 GTK set_markup with user input risk set_markup( an>' self.last_step_logs += msg + "\n" lbl.set_markup("{}\n{}".format(lbl.get_label
3 src/MainWindow.py 527 GTK set_markup with user input risk set_markup( e lbl = self.joining_log_label lbl.set_markup(lbl.get_label() + line + "\n"

pardus-font-manager (6 findings)

Medium

# File Line Type Match Context
1 src/MainWindow.py 572 GTK set_markup with user input risk set_markup( le}">{lorem_ipsum_text}' self.charmaps_label.set_markup(formatted_lorem_ipsum)
2 src/MainWindow.py 587 GTK set_markup with user input risk set_markup( size in range(8, 49) ) self.charmaps_label.set_markup(waterfall_text) def on_
3 src/MainWindow.py 715 GTK set_markup with user input risk set_markup( _visible_child_name("error") self.bottom_info_label.set_markup("{}"
4 src/MainWindow.py 803 GTK set_markup with user input risk set_markup( _visible_child_name("error") self.bottom_info_label.set_markup( "<span color='gr
5 src/add_font.py 182 GTK set_markup with user input risk set_markup( ont_names_str, "" ) self.bottom_info_label.set_markup( "<span color='gr
6 src/add_font.py 190 GTK set_markup with user input risk set_markup( t_names_str, error ) self.bottom_info_label.set_markup( "<span color='re

pardus-hotspot (5 findings)

High

# File Line Type Match Context
1 data/tr.org.pardus.pkexec.pardus-hotspot.policy 15 auth_admin_keep policy auth_admin_keep ctive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> <
2 data/tr.org.pardus.pkexec.pardus-hotspot.policy 27 auth_admin_keep policy auth_admin_keep ctive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> <
3 src/MainWindow.py 886 pkexec usage - check argument validation pkexec t etdev_button_clicked(self, button): """ run pkexec to add the current user to the ne
4 src/hotspot.py 417 pkexec usage - check argument validation pkexec d # use forwarding_configured flag to prevent repeated pkexec dialogs # after sleep/wake, scre
5 src/hotspot.py 426 pkexec usage - check argument validation pkexec r logger.warning("user cancelled or forwarding config failed (pkexec rc=%d)", res.returncode)

pardus-idevice-mounter (4 findings)

Medium

# File Line Type Match Context
1 src/main_window.py 197 GTK set_markup with user input risk set_markup( el="●") if device.is_trusted: dot_label.set_markup('●</
2 src/main_window.py 199 GTK set_markup with user input risk set_markup( ound="green">●') else: dot_label.set_markup('●</sp
3 src/main_window.py 211 GTK set_markup with user input risk set_markup( .model or f'{("device")}{device.udid}' name_label.set_markup(f'<span weight="bold" size="l
4 src/main_window.py 225 GTK set_markup with user input risk set_markup( len(device.udid) > 8 else device.udid status_label.set_markup(f'{trust_

pardus-image-writer (2 findings)

Medium

# File Line Type Match Context
1 src/MainWindow.py 370 GTK set_markup with user input risk set_markup( # ask if it is ok? self.lbl_prewrite_filename.set_markup( "- {}".format(s
2 src/MainWindow.py 373 GTK set_markup with user input risk set_markup( th.split("/")[-1]) ) self.lbl_prewrite_disk.set_markup( "- {} [ {} ]<

pardus-installer (36 findings)

High

# File Line Type Match Context
1 data/live-installer.sh 3 pkexec usage - check argument validation pkexec / #!/usr/bin/env bash if ! [ $uid -eq 0 ] ; then exec pkexec /usr/bin/live-installer "$@" fi exec
2 live-installer/frontend/gtk_interface.py 509 os.system with variable interpolation os.system('umount -f ' + key=lambda disk: disk != preferred)) os.system('umount -f ' + disks) def update_part
3 live-installer/frontend/gtk_interface.py 589 Possible hardcoded credential password:")) self.builder.get_object( _object("label_password").set_text( _("choose a password:")) self.builder.get_ob
4 live-installer/frontend/gtk_interface.py 591 Possible hardcoded credential password:")) self.builder.get_object( ject("label_confirm").set_text( _("confirm your password:")) self.builder.get_o
5 live-installer/frontend/gtk_interface.py 1104 os.system with variable interpolation os.system("mount -t btrfs % ut("mktemp -d").decode("utf-8").strip() os.system("mount -t btrfs %s %s" %
6 live-installer/frontend/gtk_interface.py 1106 os.system with variable interpolation os.system("btrfs subvolume delete % (subvolume.parent.path, mount_point)) os.system("btrfs subvolume delete %s/%s" %
7 live-installer/frontend/gtk_interface.py 1108 os.system with variable interpolation os.system("umount --force % (mount_point, subvolume.name)) os.system("umount --force %s" % mount_point)
8 live-installer/frontend/gtk_interface.py 1192 os.system with variable interpolation os.system('setxkbmap -model ' + self.setup.keyboard_model) = model[active] os.system('setxkbmap -model ' + self.setup.keyboa
9 live-installer/frontend/gtk_interface.py 1590 Possible hardcoded credential Password: ") + bold(str(_pass1)),)) else: model.appe model.append( top, (_("password: ") + bold(str(_pass1)),)) else:
10 live-installer/frontend/gtk_interface.py 1593 Possible hardcoded credential Password: ") + bold(len(str(_pass1)) * model.append( top, (_("password: ") + bold(len(str(_pass1)) * "*"),))
11 live-installer/frontend/partitioning.py 112 os.system with variable interpolation os.system("mount % rtition.type != "btrfs": return [] try: os.system("mount %s %s" % (partition.pat
12 live-installer/frontend/partitioning.py 115 os.system with variable interpolation os.system("umount % tmp_mountpoint).decode("utf-8").strip().split("\n") os.system("umount %s" % tmp_mountpoint)
13 live-installer/frontend/partitioning.py 425 os.popen with variable interpolation os.popen('mkdir -p ' + [] installer.setup.partition_setup = self os.popen('mkdir -p ' + tmp_mountpoint)
14 live-installer/frontend/partitioning.py 425 open with concat - path traversal risk open('mkdir -p ' + installer.setup.partition_setup = self os.popen('mkdir -p ' + tmp_mountpoint) self.
15 live-installer/frontend/partitioning.py 536 os.system with variable interpolation os.system("parted -s % pen(device.path, "w").write("\x00" * 512) return_code = os.system("parted -s %s mklabel %s" %
16 live-installer/frontend/partitioning.py 765 os.system with variable interpolation os.system('umount ' + (self.path, detail)) while 0 == os.system('umount ' + tmp_mountpoint): true # du
17 live-installer/installer.py 944 subprocess.Popen with shell=True subprocess.Popen(command, shell=True for command in config.get(hook, []): cmd = subprocess.popen(command, shell=true, stdout=
18 live-installer/installer.py 981 os.system with variable interpolation os.system("umount -lf % , mountpoint): ''' unmount a filesystem ''' os.system("umount -lf %s" % mountpoint)
19 live-installer/utils.py 82 os.system with variable interpolation os.system("which "+ ): return os.getuid() == 0 def is_cmd(cmd): return os.system("which "+cmd) == 0 def run(cm
20 live-installer/utils.py 116 subprocess.Popen with shell=True subprocess.Popen(command, shell=True (os.path.join(*args)) def shell_exec(command): return subprocess.popen(command, shell=true, st
21 live-installer/utils.py 125 os.system with variable interpolation os.system("chroot /target/ /bin/bash -c \"% command = str(command).replace('"', "'").strip() return os.system("chroot /target/ /bin/bash -c

Medium

# File Line Type Match Context
1 live-installer/frontend/init.py 7 wildcard import - namespace pollution from utils import * ort gettext import config import time import math import re from utils import * import gi gi.require
2 live-installer/frontend/dialogs.py 2 wildcard import - namespace pollution from frontend import * from frontend import * class dialog(gtk.messagedialog): def init(self, s
3 live-installer/frontend/gtk_interface.py 10 wildcard import - namespace pollution from utils import * import threading import time import parted import validate from utils import * from frontend import
4 live-installer/frontend/gtk_interface.py 11 wildcard import - namespace pollution from frontend import * port time import parted import validate from utils import * from frontend import * from frontend.dia
5 live-installer/frontend/gtk_interface.py 1419 GTK set_markup with user input risk set_markup( x].help_text) self.builder.get_object("help_label").set_markup( "%s<
6 live-installer/frontend/partitioning.py 4 wildcard import - namespace pollution from frontend import * # coding: utf-8 # import parted from frontend import * gettext.install("live-installer", "/usr/shar
7 live-installer/frontend/partitioning.py 796 GTK set_markup with user input risk set_markup( ition")) self.builder.get_object("label_partition").set_markup( "%s" % _(
8 live-installer/frontend/partitioning.py 799 GTK set_markup with user input risk set_markup( label(path) self.builder.get_object("label_use_as").set_markup(_("format as:")) self
9 live-installer/frontend/partitioning.py 801 GTK set_markup with user input risk set_markup( self.builder.get_object( "label_mount_point").set_markup(_("mount point:")) self
10 live-installer/frontend/partitioning.py 885 GTK set_markup with user input risk set_markup( le) self.builder.get_object("label_subvolume_name").set_markup( "%s" % _(
11 live-installer/frontend/partitioning.py 888 GTK set_markup with user input risk set_markup( builder.get_object( "label_subvol_mount_point").set_markup(_("mount point:")) se
12 live-installer/frontend/timezones.py 3 wildcard import - namespace pollution from frontend import * # coding: utf-8 from frontend import * from subprocess import getoutput from collections import de
13 live-installer/frontend/welcome.py 2 wildcard import - namespace pollution from frontend import * from frontend.gtk_interface import installerwindow from frontend import * gettext.install("live-ins
14 live-installer/main.py 4 wildcard import - namespace pollution from utils import * #!/usr/bin/python3 import sys import traceback from utils import * from frontend import * from front
15 live-installer/main.py 5 wildcard import - namespace pollution from frontend import * bin/python3 import sys import traceback from utils import * from frontend import * from frontend.dia

pardus-java-installer (1 findings)

High

# File Line Type Match Context
1 polkit/tr.org.pardus.pkexec.pardus-java-installer.policy 18 auth_admin_keep policy auth_admin_keep ow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> </def

pardus-lib-xfce (4 findings)

High

# File Line Type Match Context
1 src/DatetimeManager.py 55 subprocess.run with shell=True subprocess.run("xfce4-panel -q", shell=True (lines) def save_file(): global config_file_data subprocess.run("xfce4-panel -q", shell=t
2 src/DatetimeManager.py 62 subprocess.run with shell=True subprocess.run("xfce4-panel &", shell=True th, "w") as file: file.write(config_file_data) subprocess.run("xfce4-panel &", shell=tr
3 src/LocaleManager.py 79 subprocess.run with shell=True subprocess.run(f"localectl set-locale LANG={lc}", shell=True like this: "tr_tr.utf-8" lc = locale.split(" ")[0] subprocess.run(f"localectl set-locale lan
4 src/LocaleManager.py 81 subprocess.run with shell=True subprocess.run(f"localectl set-locale LC_CTYPE=en_US.UTF-8", shell=True cale lang={lc}", shell=true) # force lc_ctype to en subprocess.run(f"localectl set-locale lc

pardus-lightdm-greeter (14 findings)

High

# File Line Type Match Context
1 pardus-lightdm-greeter.sh 10 open with concat - path traversal risk open(os.environ["HOME"]+ , "3.0") from gi.repository import gtk w = gtk.window() txt=open(os.environ["home"]+"/pardus-lightdm
2 src/module/gtkwindow.py 121 os.system with variable interpolation os.system(get("screen-keyboard", "onboard", "keyboard")+ nt, data): if get("touch-mode", false): os.system(get("screen-keyboard", "onboar
3 src/module/gtkwindow.py 496 subprocess.Popen with shell=True subprocess.Popen(wm, stdout=subprocess.PIPE, shell=True manager") if len(wm) > 0: self.wm_pid = subprocess.popen(wm, stdout=subprocess.p
4 src/module/keyboard.py 85 os.system with variable interpolation os.system(get("screen-keyboard", "onboard", "keyboard")+ numlock_capslock) def _screen_keyboard_event(widget): os.system(get("screen-keyboard", "onboar
5 src/module/lightdm.py 27 Possible hardcoded credential password:", # messages self.__reset_messages = ["current password:", "n
6 src/module/lightdm.py 28 Possible hardcoded credential password:"] self.__prompt_messages = [ "new password:", "retype new password:"] self.__prompt_messages = ["password:"] # li
7 src/module/lightdm.py 29 Possible hardcoded credential Password:"] # lists self.__ulist = None self.__slist = N "retype new password:"] self.__prompt_messages = ["password:"] # lists self.
8 src/module/lightdm.py 142 Possible hardcoded credential password:": response = self.__password elif text.str from prompt message if text.strip() == "current password:": response = s
9 src/module/lightdm.py 144 Possible hardcoded credential Password:": response = self.__password else: esponse = self.__password elif text.strip() == "password:": response = s

Medium

# File Line Type Match Context
1 src/main.py 6 wildcard import - namespace pollution from util import * /python3 import os import sys import time import subprocess from util import * import traceback im
2 src/wifi/widget.py 161 GTK set_markup with user input risk set_markup( twork-wireless-signal-weak-symbolic", 0) self.ssid.set_markup( _("ssid:
3 src/wifi/widget.py 163 GTK set_markup with user input risk set_markup( format(self.wifi_item.wifi_obj.ssid)) self.security.set_markup( _("security:<
4 src/wifi/widget.py 165 GTK set_markup with user input risk set_markup( rmat(self.wifi_item.wifi_obj.security)) self.signal.set_markup( _("signal:</b
5 src/wifi/widget.py 262 GTK set_markup with user input risk set_markup( olic", 0) self.ssid = gtk.label() self.ssid.set_markup("{}".format(self.wifi_

pardus-lightdm-greeter-settings (3 findings)

High

# File Line Type Match Context
1 src/MainWindow.py 106 subprocess.run with shell concat subprocess.run(["pkexec", APPDIR+ htdm"].get_value( "autologin-user") subprocess.run(["pkexec", appdir+"/savec
2 src/data/tr.org.pardus.lightdm-greeter-settings.policy 14 auth_admin_keep policy auth_admin_keep _inactive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> </d

Medium

# File Line Type Match Context
1 src/MainWindow.py 2 wildcard import - namespace pollution from widget import * import subprocess from widget import * import os import gi gi.require_version("gtk", "3.0") from

pardus-mycomputer (19 findings)

High

# File Line Type Match Context
1 src/DiskManager.py 120 subprocess.Popen with shell=True subprocess.Popen(self.cmd, shell=True print('thread started') # self.process = subprocess.popen(self.cmd, shell=true) #
2 src/UserSettings.py 201 open with concat - path traversal risk open(self.user_recent_servers_file, "r+ mat(uri, name).strip() def add(): with open(self.user_recent_servers_file, "r+"
3 src/UserSettings.py 237 open with concat - path traversal risk open(self.user_saved_servers_file, "r+ mat(uri, name).strip() def add(): with open(self.user_saved_servers_file, "r+")
4 src/UserSettings.py 310 open with concat - path traversal risk open(self.user_saved_places_file, "r+ con": "' + icon + '"}' def add(): with open(self.user_saved_places_file, "r+")

Medium

# File Line Type Match Context
1 src/MainWindow.py 419 GTK set_markup with user input risk set_markup( label = gtk.label.new() label.set_markup("{}".format(licon))
2 src/MainWindow.py 516 GTK set_markup with user input risk set_markup( ocs = [] # label = gtk.label.new() # label.set_markup("{}".format(_("places"
3 src/MainWindow.py 554 GTK set_markup with user input risk set_markup( tton) label = gtk.label.new() label.set_markup("{}".format(loc["name"]))
4 src/MainWindow.py 611 GTK set_markup with user input risk set_markup( tton) label = gtk.label.new() label.set_markup("{}".format(dir["name"]))
5 src/MainWindow.py 638 GTK set_markup with user input risk set_markup( tton) label = gtk.label.new() label.set_markup("{}".format(saved["name"]))
6 src/MainWindow.py 679 GTK set_markup with user input risk set_markup( tton) label = gtk.label.new() label.set_markup("{}".format(_("add new")))
7 src/MainWindow.py 954 GTK set_markup with user input risk set_markup( display_name = "" self.dlg_lbl_name.set_markup("{}".format(glib.markup_es
8 src/MainWindow.py 998 GTK set_markup with user input risk set_markup( ow values on ui row_volume._lbl_volume_name.set_markup( f'{gl
9 src/MainWindow.py 1001 GTK set_markup with user input risk set_markup( )') row_volume._lbl_volume_size_info.set_markup( "<span s
10 src/MainWindow.py 1087 GTK set_markup with user input risk set_markup( lbl_volume_name = gtk.label.new() lbl_volume_name.set_markup("{} ( {} )</small
11 src/MainWindow.py 1097 GTK set_markup with user input risk set_markup( me_size_info = gtk.label.new() lbl_volume_size_info.set_markup( f"<span size="s
12 src/MainWindow.py 1296 GTK set_markup with user input risk set_markup( e.set_label(_("calculating...")) self.lbl_home_path.set_markup("( {} )".forma
13 src/MainWindow.py 2079 GTK set_markup with user input risk set_markup( , uri, name): label = gtk.label.new() label.set_markup("{}\n{}
14 src/MainWindow.py 2151 GTK set_markup with user input risk set_markup( else: self.dialog_mount_error.set_markup("{}".format(_("er
15 src/MainWindow.py 2191 GTK set_markup with user input risk set_markup( passwd_option = 1 self.lbl_mount_message.set_markup("{}".format(_(message)))

pardus-nvidia-installer (6 findings)

High

# File Line Type Match Context
1 tr.org.pardus.pkexec.pardus-nvidia-installer.policy 18 auth_admin_keep policy auth_admin_keep ow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> </def

Medium

# File Line Type Match Context
1 src/MainWindow.py 251 GTK set_markup with user input risk set_markup( arkup = self.lbl_markup(("driver"), drv_name) name.set_markup(markup) ver = b.get
2 src/MainWindow.py 255 GTK set_markup with user input risk set_markup( markup = self.lbl_markup(_("version"), drv_ver) ver.set_markup(markup) markup = sel
3 src/MainWindow.py 263 GTK set_markup with user input risk set_markup( ) lbl = b.get_object("ui_driver_label") lbl.set_markup(markup) repo = b.get
4 src/MainWindow.py 267 GTK set_markup with user input risk set_markup( markup = self.lbl_markup("repo", drv_repo) repo.set_markup(markup) grp = none
5 src/MainWindow.py 280 GTK set_markup with user input risk set_markup( name_label = gtk.label(xalign=0) name_label.set_markup(f"{device_name}") box

pardus-package-installer (19 findings)

High

# File Line Type Match Context
1 tr.org.pardus.pkexec.pardus-package-installer.policy 18 auth_admin_keep policy auth_admin_keep ow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> </def

Medium

# File Line Type Match Context
1 src/MainWindow.py 174 GTK set_markup with user input risk set_markup( self.errorlabel.set_visible(false) self.pacname.set_markup( "<span size='x-larg
2 src/MainWindow.py 180 GTK set_markup with user input risk set_markup( ename, -1) ) ) self.pacversion.set_markup( "{}</smal
3 src/MainWindow.py 186 GTK set_markup with user input risk set_markup( ersion, -1) ) ) self.shortdesc.set_markup( "{}</smal
4 src/MainWindow.py 197 GTK set_markup with user input risk set_markup( .packagemaintainermail, -1) self.maintainermail.set_markup( f"<a title='
5 src/MainWindow.py 205 GTK set_markup with user input risk set_markup( pe_text(self.packagehomepage, -1) self.homepage.set_markup( f"<a title='
6 src/MainWindow.py 225 GTK set_markup with user input risk set_markup( )) pd = "\n\n".join(formatted) self.depends.set_markup("{}".format(gl
7 src/MainWindow.py 228 GTK set_markup with user input risk set_markup( if self.packagemissingdeps: self.missingdeps.set_markup("{}".format(
8 src/MainWindow.py 231 GTK set_markup with user input risk set_markup( agemissingdeps, -1))) self.installed_version_title.set_markup( "<span we
9 src/MainWindow.py 237 GTK set_markup with user input risk set_markup( = pkg.installed.version self.installed_version.set_markup(f"
10 src/MainWindow.py 239 GTK set_markup with user input risk set_markup( ") else: self.installed_version.set_markup( "<spa
11 src/MainWindow.py 252 GTK set_markup with user input risk set_markup( lf.errorlabel.set_visible(true) self.errorlabel.set_markup( "<span co
12 src/MainWindow.py 558 GTK set_markup with user input risk set_markup( e_child_name("doneinfo") self.doneinfolabel.set_markup("{}\n</s
13 src/MainWindow.py 793 GTK set_markup with user input risk set_markup( e_child_name("doneinfo") self.doneinfolabel.set_markup("{}".format(_("not com
14 src/MainWindow.py 801 GTK set_markup with user input risk set_markup( terrupt error !") self.doneinfolabel.set_markup(errormessage) sel
15 src/MainWindow.py 816 GTK set_markup with user input risk set_markup( = pkg.installed.version self.installed_version.set_markup(f"
16 src/MainWindow.py 818 GTK set_markup with user input risk set_markup( ") else: self.installed_version.set_markup( "<spa
17 src/MainWindow.py 830 GTK set_markup with user input risk set_markup( terrupt error !") self.doneinfolabel.set_markup(errormessage) if
18 src/MainWindow.py 839 GTK set_markup with user input risk set_markup( tude' or 'synaptic' first.") self.doneinfolabel.set_markup(errormessage) if

pardus-parental-control (5 findings)

High

# File Line Type Match Context
1 polkit/tr.org.pardus.pkexec.parental-control.policy 18 auth_admin_keep policy auth_admin_keep ow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> </def
2 polkit/tr.org.pardus.pkexec.parental-control.policy 34 auth_admin_keep policy auth_admin_keep ow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> </def
3 src/managers/NetworkFilterManager.py 33 subprocess.run with shell concat subprocess.run(["chattr", "+ w") as file1: file1.write(resolv_conf_content) subprocess.run(["chattr", "+i", "/etc/re
4 src/managers/UsageLogger.py 31 open with concat - path traversal risk open(user_session, "r+ # add new login log to the beginning of the file with open(user_session, "r+") as f: con
5 src/managers/UsageLogger.py 51 open with concat - path traversal risk open(user_session, "r+ # add new login log to the beginning of the file with open(user_session, "r+") as f: # r

pardus-pen (1 findings)

Medium

# File Line Type Match Context
1 src/SetupWidgets.cpp 578 Weak random number generation (C) rand() mber(butsize/3)+"px;" ); srand(time(null)); if(rand() % 2 == 0) { closemenuconf

pardus-pen-old (9 findings)

High

# File Line Type Match Context
1 mainwindow.cpp 407 strcpy - buffer overflow strcpy( char cmd = (char)malloc(1024*sizeof(char)); strcpy(cmd,"scrot '"); strcat(cmd,imgn
2 mainwindow.cpp 408 strcat - buffer overflow strcat( (1024*sizeof(char)); strcpy(cmd,"scrot '"); strcat(cmd,imgname.tostdstring().c_str()
3 mainwindow.cpp 409 strcat - buffer overflow strcat( strcat(cmd,imgname.tostdstring().c_str()); strcat(cmd,"'"); system(cmd); } q
4 mainwindow.cpp 419 strcpy - buffer overflow strcpy( o")); char msg = (char)malloc(1024*sizeof(char)); strcpy(msg,_("screenshot saved:"));
5 mainwindow.cpp 420 strcat - buffer overflow strcat( *sizeof(char)); strcpy(msg,_("screenshot saved:")); strcat(msg,"\n"); strcat(msg,imgname
6 mainwindow.cpp 421 strcat - buffer overflow strcat( rcpy(msg,_("screenshot saved:")); strcat(msg,"\n"); strcat(msg,imgname.tostdstring().c_str()
7 mainwindow.cpp 442 strcpy - buffer overflow strcpy( char msg = (char)malloc(1024*sizeof(char)); strcpy(msg,_("record saved:")); strcat
8 mainwindow.cpp 443 strcat - buffer overflow strcat( eof(char)); strcpy(msg,_("record saved:")); strcat(msg,"\n"); strcat(msg,thi
9 mainwindow.cpp 444 strcat - buffer overflow strcat( (msg,_("record saved:")); strcat(msg,"\n"); strcat(msg,this->recordname.c_str());

pardus-power-manager (2 findings)

Medium

# File Line Type Match Context
1 src/MainWindow.py 422 GTK set_markup with user input risk set_markup( "error")) self.ui_permission_info_label.set_markup( "
2 src/Utils.py 26 GTK set_markup with user input risk set_markup( position.center) self.set_title(title) self.set_markup(text) self.get_messag

pardus-power-manager-advanced (18 findings)

High

# File Line Type Match Context
1 src/service/backends/cpu.py 46 open with concat - path traversal risk open("/sys/devices/system/cpu/cpu"+ cpu/cpu"+str(core)+"/online"): return false f = open("/sys/devices/system/cpu/cpu"+str(c

Medium

# File Line Type Match Context
1 src/client/MainWindow.py 19 wildcard import - namespace pollution from common import * import send_server, charge_stop_available, register_notify from common import * try: import loc
2 src/client/main.py 2 wildcard import - namespace pollution from util import * #!/usr/bin/env python3 from util import * from mainwindow import * import os, sys import gi, json g
3 src/client/main.py 3 wildcard import - namespace pollution from MainWindow import * #!/usr/bin/env python3 from util import * from mainwindow import * import os, sys import gi, json g
4 src/client/util.py 12 wildcard import - namespace pollution from common import * os.path.dirname( os.path.realpath(file) )+"/../common") from common import * @asynchronous def
5 src/common/common.py 4 wildcard import - namespace pollution from {} import * .py") and file != os.path.basename(file): exec("from {} import *".format(file[:-3]))
6 src/common/logger.py 3 wildcard import - namespace pollution from config import * import os import time from config import * import datetime if os.getuid() == 0: logfile = open(
7 src/common/power.py 3 wildcard import - namespace pollution from file import * import os import sys from file import * from cache import cached def get_ac_online(): if not o
8 src/service/actions.py 2 wildcard import - namespace pollution from util import * #!/usr/bin/env python3 from util import * import sys import subprocess import json if len(sys.argv)
9 src/service/backends/backlight.py 3 wildcard import - namespace pollution from common import * import os from util import readfile from common import * class backlight_devices: def init(
10 src/service/backends/battery.py 3 wildcard import - namespace pollution from util import * import gi from gi.repository import glib from util import * import time class battery: def __
11 src/service/backends/cpu.py 2 wildcard import - namespace pollution from common import * import os from common import * def list_cpu(): ret = [] for i in range(0, get_num_
12 src/service/backends/power.py 5 wildcard import - namespace pollution from common import * ge_cpu_status from backends.backlight import set_brightness from common import * _cur_mode = none
13 src/service/main.py 2 wildcard import - namespace pollution from util import * #!/usr/bin/env python3 from util import * from service import main from backends.power import set_mo
14 src/service/main.py 10 wildcard import - namespace pollution from util import * mport enable_usb_wakeups import time import os import json from util import * if not get("enabled"
15 src/service/service.py 1 wildcard import - namespace pollution from util import * from util import * import backends.power as power import backends.backlight as
16 src/service/util.py 6 wildcard import - namespace pollution from common import * os.path.dirname( os.path.realpath(file) )+"/../common") from common import * def listen(main):
17 src/udev-trigger/main.py 6 wildcard import - namespace pollution from common import * os.path.dirname( os.path.realpath(file) )+"/../common") from common import * data={} data["pid"]

pardus-power-manager-old (1 findings)

High

# File Line Type Match Context
1 files/ppm.desktop 8 pkexec usage - check argument validation pkexec / ardus comment[tr]=pardus için güç yönetim aracı exec=sh -c "pkexec /usr/share/pardus/power-manager/s

pardus-software (93 findings)

High

# File Line Type Match Context
1 tr.org.pardus.pkexec.pardus-software.policy 17 auth_admin_keep policy auth_admin_keep ow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> </def
2 tr.org.pardus.pkexec.pardus-software.policy 31 auth_admin_keep policy auth_admin_keep ow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> </def

Medium

# File Line Type Match Context
1 src/MainWindow.py 1067 GTK set_markup with user input risk set_markup( _name.props.halign = gtk.align.start label_name.set_markup("{}</b
2 src/MainWindow.py 1075 GTK set_markup with user input risk set_markup( ellipsize(pango.ellipsizemode.end) label_slogan.set_markup("<span size='x-large' color='
3 src/MainWindow.py 1249 GTK set_markup with user input risk set_markup( tart label = gtk.label.new() label.set_markup("{}".format(_("updates
4 src/MainWindow.py 1255 GTK set_markup with user input risk set_markup( tes_count = gtk.label.new() label_updates_count.set_markup("{}".format(len(self.upgradab
5 src/MainWindow.py 1265 GTK set_markup with user input risk set_markup( label_updates = gtk.label.new() label_updates.set_markup("{}".format(_("s
6 src/MainWindow.py 1298 GTK set_markup with user input risk set_markup( istbox, -1) self.ui_upgradableapps_count_label.set_markup("({})</
7 src/MainWindow.py 1355 GTK set_markup with user input risk set_markup( tton) label = gtk.label.new() label.set_markup("{}".format(_("discove
8 src/MainWindow.py 1374 GTK set_markup with user input risk set_markup( label = gtk.label.new() label.set_markup("{}".format(cat["name"].title()))
9 src/MainWindow.py 1395 GTK set_markup with user input risk set_markup( ton) label = gtk.label.new() label.set_markup("{}".format(_("install
10 src/MainWindow.py 1437 GTK set_markup with user input risk set_markup( ent(gtk.adjustment()) self.ui_currentcat_label.set_markup("{}</
11 src/MainWindow.py 1710 GTK set_markup with user input risk set_markup( tion_button, 3) action_button_label.set_markup("{}".format(_(
12 src/MainWindow.py 1715 GTK set_markup with user input risk set_markup( button, 4) action_button_label.set_markup("{}".format((
13 src/MainWindow.py 1719 GTK set_markup with user input risk set_markup( utton, 1) # action_button_label.set_markup("{}".format(_(
14 src/MainWindow.py 1722 GTK set_markup with user input risk set_markup( button, 4) action_button_label.set_markup("{}".format((
15 src/MainWindow.py 1726 GTK set_markup with user input risk set_markup( s(action_button, 0) action_button_label.set_markup("{}".format(_(
16 src/MainWindow.py 1841 GTK set_markup with user input risk set_markup( e app) app_name = gtk.label.new() app_name.set_markup("{}".format(prettyname
17 src/MainWindow.py 1869 GTK set_markup with user input risk set_markup( s(action_button, 3) action_button_label.set_markup("{}".format(_(
18 src/MainWindow.py 1874 GTK set_markup with user input risk set_markup( tion_button, 4) action_button_label.set_markup("{}".format(_(
19 src/MainWindow.py 1878 GTK set_markup with user input risk set_markup( tion_button, 4) action_button_label.set_markup("{}".format(_(
20 src/MainWindow.py 1882 GTK set_markup with user input risk set_markup( class(action_button, 0) action_button_label.set_markup("{}".format(_(
21 src/MainWindow.py 1890 GTK set_markup with user input risk set_markup( summary_label = gtk.label.new() summary_label.set_markup("
22 src/MainWindow.py 1908 GTK set_markup with user input risk set_markup( number_label = gtk.label.new() number_label.set_markup("{}".format(number))
23 src/MainWindow.py 1945 GTK set_markup with user input risk set_markup( alse): app_name = gtk.label.new() app_name.set_markup("{}".format(glib.marku
24 src/MainWindow.py 1979 GTK set_markup with user input risk set_markup( button_class(action_button, 4) action_button_label.set_markup("{}".format((
25 src/MainWindow.py 1993 GTK set_markup with user input risk set_markup( summary_label = gtk.label.new() summary_label.set_markup("
26 src/MainWindow.py 2020 GTK set_markup with user input risk set_markup( size_request(77, -1) if du: du_static.set_markup("{}".format(("disk us
27 src/MainWindow.py 2021 GTK set_markup with user input risk set_markup( up("{}".format(_("disk usage"))) du_size.set_markup("<span weight='light' size='s
28 src/MainWindow.py 2023 GTK set_markup with user input risk set_markup( ze(app["disk_usage"]))) else: du_static.set_markup("") du_size.set_m
29 src/MainWindow.py 2024 GTK set_markup with user input risk set_markup( e: du_static.set_markup("") du_size.set_markup("") box_h = gtk.box.
30 src/MainWindow.py 2062 GTK set_markup with user input risk set_markup( none): app_name = gtk.label.new() app_name.set_markup("{}".format(glib.marku
31 src/MainWindow.py 2103 GTK set_markup with user input risk set_markup( tion_button, 3) action_button_label.set_markup("{}".format(_(
32 src/MainWindow.py 2108 GTK set_markup with user input risk set_markup( button, 4) action_button_label.set_markup("{}".format((
33 src/MainWindow.py 2112 GTK set_markup with user input risk set_markup( button, 4) action_button_label.set_markup("{}".format((
34 src/MainWindow.py 2116 GTK set_markup with user input risk set_markup( s(action_button, 0) action_button_label.set_markup("{}".format(_(
35 src/MainWindow.py 2135 GTK set_markup with user input risk set_markup( summary_label = gtk.label.new() summary_label.set_markup("
36 src/MainWindow.py 2151 GTK set_markup with user input risk set_markup( () du_static.set_line_wrap(false) du_static.set_markup("") du_size = gtk.la
37 src/MainWindow.py 2155 GTK set_markup with user input risk set_markup( .new() du_size.set_line_wrap(false) du_size.set_markup("") box_du = gtk.box
38 src/MainWindow.py 2199 GTK set_markup with user input risk set_markup( none): app_name = gtk.label.new() app_name.set_markup("{}".format(glib.marku
39 src/MainWindow.py 2232 GTK set_markup with user input risk set_markup( button.add(cancel_button_label) cancel_button_label.set_markup("{}".format(_(
40 src/MainWindow.py 2236 GTK set_markup with user input risk set_markup( summary_label = gtk.label.new() summary_label.set_markup("
41 src/MainWindow.py 2252 GTK set_markup with user input risk set_markup( version_title.set_line_wrap(false) version_title.set_markup("{}".format(_("version"))
42 src/MainWindow.py 2258 GTK set_markup with user input risk set_markup( et_ellipsize(pango.ellipsizemode.end) version_label.set_markup("<span weight='light' size='s
43 src/MainWindow.py 2355 GTK set_markup with user input risk set_markup( app_name = gtk.label.new() app_name.set_markup("{}".format(editor_app_pretty_name
44 src/MainWindow.py 2389 GTK set_markup with user input risk set_markup( tion_button, 3) action_button_label.set_markup("{}".format(_(
45 src/MainWindow.py 2394 GTK set_markup with user input risk set_markup( button, 4) action_button_label.set_markup("{}".format((
46 src/MainWindow.py 2398 GTK set_markup with user input risk set_markup( button, 4) action_button_label.set_markup("{}".format((
47 src/MainWindow.py 2402 GTK set_markup with user input risk set_markup( s(action_button, 0) action_button_label.set_markup("{}".format(_(
48 src/MainWindow.py 2410 GTK set_markup with user input risk set_markup( summary_label = gtk.label.new() summary_label.set_markup("<span weight='light' size='sma
49 src/MainWindow.py 2766 GTK set_markup with user input risk set_markup( "website", "") self.ui_ad_maintainer_name_label.set_markup(m_name) self.ui_a
50 src/MainWindow.py 2767 GTK set_markup with user input risk set_markup( markup(m_name) self.ui_ad_maintainer_mail_label.set_markup("<a title='{}' href='mailto:{
51 src/MainWindow.py 2772 GTK set_markup with user input risk set_markup( (m_mail, -1))) self.ui_ad_maintainer_web_label.set_markup("{}</
52 src/MainWindow.py 2783 GTK set_markup with user input risk set_markup( label = gtk.label.new() label.set_markup("{}".format(codename.title()))
53 src/MainWindow.py 2793 GTK set_markup with user input risk set_markup( s_box.show_all() self.ui_comment_appname_label.set_markup("{}".format(app_pretty
54 src/MainWindow.py 2794 GTK set_markup with user input risk set_markup( pretty_name)) self.ui_comment_subcategory_label.set_markup("{}".format(app_subcategory_n
55 src/MainWindow.py 2822 GTK set_markup with user input risk set_markup( tion_button, 3) action_button_label.set_markup("{}".format(_(
56 src/MainWindow.py 2827 GTK set_markup with user input risk set_markup( button, 4) action_button_label.set_markup("{}".format((
57 src/MainWindow.py 2831 GTK set_markup with user input risk set_markup( button, 4) action_button_label.set_markup("{}".format((
58 src/MainWindow.py 2835 GTK set_markup with user input risk set_markup( d_action_button, 0) action_button_label.set_markup("{}".format(_(
59 src/MainWindow.py 2839 GTK set_markup with user input risk set_markup( ui_ad_action_button, 2) action_button_label.set_markup("{}".format(_(
60 src/MainWindow.py 2874 GTK set_markup with user input risk set_markup( l = _("open source") self.ui_ad_component_label.set_markup(f"{origin} {component}" if or
61 src/MainWindow.py 2875 GTK set_markup with user input risk set_markup( igin_info else _("none")) self.ui_ad_type_label.set_markup(type_label) # repo a
62 src/MainWindow.py 2916 GTK set_markup with user input risk set_markup( }".format(e)) self.ui_ad_maintainer_name_label.set_markup(maintainer_name)
63 src/MainWindow.py 2917 GTK set_markup with user input risk set_markup( intainer_name) self.ui_ad_maintainer_mail_label.set_markup("<a title='{}' href='mailto:{
64 src/MainWindow.py 2922 GTK set_markup with user input risk set_markup( mail else "-") self.ui_ad_maintainer_web_label.set_markup("{}</
65 src/MainWindow.py 3290 GTK set_markup with user input risk set_markup( and details is not none: self.ui_myapp_pop_app.set_markup( "<span size='
66 src/MainWindow.py 3292 GTK set_markup with user input risk set_markup( cape_text(name, -1))) self.ui_myapp_pop_package.set_markup("{}".format(package))
67 src/MainWindow.py 3299 GTK set_markup with user input risk set_markup( not none: self.ui_myapp_pop_toremove_label.set_markup( "{}".form
68 src/MainWindow.py 3308 GTK set_markup with user input risk set_markup( not none: self.ui_myapp_pop_toinstall_label.set_markup( "{}".for
69 src/MainWindow.py 3313 GTK set_markup with user input risk set_markup( is not none: self.ui_myapp_pop_broken_label.set_markup( "{}".for
70 src/MainWindow.py 3318 GTK set_markup with user input risk set_markup( d_size"] > 0: self.ui_myapp_pop_fsize_label.set_markup( "{}".for
71 src/MainWindow.py 3323 GTK set_markup with user input risk set_markup( d_size"] > 0: self.ui_myapp_pop_dsize_label.set_markup( "{}".for
72 src/MainWindow.py 3328 GTK set_markup with user input risk set_markup( l_size"] > 0: self.ui_myapp_pop_isize_label.set_markup( "{}".for
73 src/MainWindow.py 3349 GTK set_markup with user input risk set_markup( pixel_size(64) self.ui_myapp_pop_notfound_name.set_markup("{}
74 src/MainWindow.py 3467 GTK set_markup with user input risk set_markup( ge"]))) self.ui_ad_bottom_avgrate_label.set_markup( "<sp
75 src/MainWindow.py 3494 GTK set_markup with user input risk set_markup( else: self.ui_suggest_error_label.set_markup("{}".format(_("error")))
76 src/MainWindow.py 3655 GTK set_markup with user input risk set_markup( label_author = gtk.label.new() label_author.set_markup("{}".format(author)) l
77 src/MainWindow.py 3696 GTK set_markup with user input risk set_markup( label_distro = gtk.label.new() label_distro.set_markup("{}".format(distro)) label_di
78 src/MainWindow.py 3700 GTK set_markup with user input risk set_markup( label_appversion = gtk.label.new() label_appversion.set_markup("{}: {}".format(_("app"), app
79 src/MainWindow.py 3998 GTK set_markup with user input risk set_markup( mer") self.ui_myapp_pop_disclaimer_remove_label.set_markup("{}".format(", ".join(importa
80 src/MainWindow.py 4297 GTK set_markup with user input risk set_markup( dir, cache_size)) self.ui_settings_cache_size_label.set_markup("({})".format(self.pac
81 src/MainWindow.py 4421 GTK set_markup with user input risk set_markup( ("cleared")) self.ui_settings_cache_info_label.set_markup(("cache files cleared, pleas
82 src/MainWindow.py 4425 GTK set_markup with user input risk set_markup( l(_("error")) self.ui_settings_cache_info_label.set_markup("{}".format(message))
83 src/MainWindow.py 4690 GTK set_markup with user input risk set_markup( tinfo_spinner.start() self.pop_interruptinfo_label.set_markup("{}".format(_("the pro
84 src/MainWindow.py 4980 GTK set_markup with user input risk set_markup( sible_child_name("error") self.bottomerrorlabel.set_markup("{}"
85 src/MainWindow.py 4987 GTK set_markup with user input risk set_markup( sible_child_name("error") self.bottomerrorlabel.set_markup("{}"
86 src/MainWindow.py 4990 GTK set_markup with user input risk set_markup( visible(true) self.bottomerrordetails_label.set_markup( "{}</
87 src/MainWindow.py 4995 GTK set_markup with user input risk set_markup( name("interrupt") self.bottominterruptlabel.set_markup("{}<
88 src/MainWindow.py 5078 GTK set_markup with user input risk set_markup( atus != 0: self.ui_settings_password_info_label.set_markup( "<spa
89 src/MainWindow.py 5227 GTK set_markup with user input risk set_markup( request dismissed self.pop_interruptinfo_label.set_markup("{}".format(_("error.")
90 src/MainWindow.py 5229 GTK set_markup with user input risk set_markup( "))) else: self.pop_interruptinfo_label.set_markup("{}".format(_("process
91 src/SysActions.py 10 random module (not cryptographically secure) import random on fri sep 18 14:53:00 2020 @author: fatih """ import os import random import string import subpro

pardus-update (30 findings)

High

# File Line Type Match Context
1 data/tr.org.pardus.pkexec.pardus-update.policy 18 auth_admin_keep policy auth_admin_keep ow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> </def
2 src/SysActions.py 76 subprocess.run with shell concat subprocess.run(["apt", "full-upgrade"] + split(" ") yq_list = yq.split(" ") result = subprocess.run(["apt", "full-upgrade"] +

Medium

# File Line Type Match Context
1 src/MainWindow.py 806 GTK set_markup with user input risk set_markup( f.upgrade_inprogress: self.ui_upgradeinfo_label.set_markup( "{}".
2 src/MainWindow.py 834 GTK set_markup with user input risk set_markup( f.upgrade_inprogress: self.ui_upgradeinfo_label.set_markup( "{}".
3 src/MainWindow.py 860 GTK set_markup with user input risk set_markup( f.upgrade_inprogress: self.ui_upgradeinfo_label.set_markup( "{}".
4 src/MainWindow.py 980 GTK set_markup with user input risk set_markup( repo_name = gtk.label.new() repo_name.set_markup("{} {} {} {}".format(sub["type"], s
5 src/MainWindow.py 1131 GTK set_markup with user input risk set_markup( sw.set_visible(true) self.ui_distupdowninfo_label.set_markup("{}".format(("package
6 src/MainWindow.py 1251 GTK set_markup with user input risk set_markup( t_value(interval) self.ui_settingslastupdate_label.set_markup("{}".format( date
7 src/MainWindow.py 1491 GTK set_markup with user input risk set_markup( .set_sensitive(true) self.ui_dpkgconfigurefix_label.set_markup("{}".format(
8 src/MainWindow.py 1501 GTK set_markup with user input risk set_markup( .set_visible(true) self.ui_dpkgconfigureinfo_label.set_markup("{}".format(_("the pro
9 src/MainWindow.py 1640 GTK set_markup with user input risk set_markup( button) name = gtk.label.new() name.set_markup("{}".format(glib.marku
10 src/MainWindow.py 1645 GTK set_markup with user input risk set_markup( summarylabel = gtk.label.new() summarylabel.set_markup( "{}</smal
11 src/MainWindow.py 1651 GTK set_markup with user input risk set_markup( old_version = gtk.label.new() old_version.set_markup("{}".fo
12 src/MainWindow.py 1656 GTK set_markup with user input risk set_markup( sep_label = gtk.label.new() sep_label.set_markup(">>")
13 src/MainWindow.py 1659 GTK set_markup with user input risk set_markup( new_version = gtk.label.new() new_version.set_markup("{}".fo
14 src/MainWindow.py 1784 GTK set_markup with user input risk set_markup( heck_labels(self): self.ui_settingslastupdate_label.set_markup("{}".format( date
15 src/MainWindow.py 1937 GTK set_markup with user input risk set_markup( name = gtk.label.new() name.set_markup("{}".format(glib.markup_escape_text(pa
16 src/MainWindow.py 1942 GTK set_markup with user input risk set_markup( summarylabel = gtk.label.new() summarylabel.set_markup( "
17 src/MainWindow.py 1948 GTK set_markup with user input risk set_markup( old_version = gtk.label.new() old_version.set_markup("{}
18 src/MainWindow.py 1953 GTK set_markup with user input risk set_markup( sep_label = gtk.label.new() sep_label.set_markup(">>")
19 src/MainWindow.py 1956 GTK set_markup with user input risk set_markup( new_version = gtk.label.new() new_version.set_markup("{}
20 src/MainWindow.py 2038 GTK set_markup with user input risk set_markup( cent"]) self.ui_distrequireddiskinfo_label.set_markup("{}: {}".format(
21 src/MainWindow.py 2266 GTK set_markup with user input risk set_markup( 6: # dpkg lock error self.ui_upgradeinfo_label.set_markup("{}<
22 src/MainWindow.py 2270 GTK set_markup with user input risk set_markup( dpkg interrupt error self.ui_upgradeinfo_label.set_markup("{}</
23 src/MainWindow.py 2431 GTK set_markup with user input risk set_markup( print("down ok") self.ui_distupdowninfo_label.set_markup( "{}".fo
24 src/MainWindow.py 2445 GTK set_markup with user input risk set_markup( ne) else: self.ui_distupdowninfo_label.set_markup("{}".format(_("the dow
25 src/MainWindow.py 2528 GTK set_markup with user input risk set_markup( quest dismissed self.ui_dpkgconfigureinfo_label.set_markup("{}".format(_("error."
26 src/MainWindow.py 2530 GTK set_markup with user input risk set_markup( ) else: self.ui_dpkgconfigureinfo_label.set_markup("{}".format(_("process
27 src/SysActions.py 10 random module (not cryptographically secure) import random 18 14:53:00 2020 @author: fatih """ import json import os import random import string import subpro
28 src/Utils.py 127 GTK set_markup with user input risk set_markup( position.center) self.set_title(title) self.set_markup(text) def show(self):

pardus-usb-formatter (2 findings)

Medium

# File Line Type Match Context
1 src/MainWindow.py 162 GTK set_markup with user input risk set_markup( .get_active_iter() ][0] self.dlg_lbl_format.set_markup(f"- {selectedformat}")
2 src/MainWindow.py 163 GTK set_markup with user input risk set_markup( kup(f"- {selectedformat}") self.dlg_lbl_disk.set_markup( f"- {self.usb

pardus-welcome (3 findings)

High

# File Line Type Match Context
1 src/xfce/KeyboardManager.py 91 subprocess.run with shell=True subprocess.run("cat /etc/default/keyboard | grep XKBLAYOUT | tr -d '\"'", shell= keyboard def getsystemkeyboardstate(): layoutprocess = subprocess.run("cat /etc/default/keyboard
2 src/xfce/KeyboardManager.py 93 subprocess.run with shell=True subprocess.run("cat /etc/default/keyboard | grep XKBVARIANT | tr -d '\"'", shell capture_output=true) variantprocess = subprocess.run("cat /etc/default/keyboard | grep xkbvarian

Medium

# File Line Type Match Context
1 src/utils.py 28 GTK set_markup with user input risk set_markup( position.center) self.set_title(title) self.set_markup(text) def show(self):

pardus-xfce-greeter (1 findings)

Medium

# File Line Type Match Context
1 src/utils.py 25 GTK set_markup with user input risk set_markup( position.center) self.set_title(title) self.set_markup(text) def show(self):

pardus-xfce-tweaks (3 findings)

High

# File Line Type Match Context
1 src/xfce/DatetimeManager.py 55 subprocess.run with shell=True subprocess.run("xfce4-panel -q", shell=True oin(lines) def savefile(): global configfiledata subprocess.run("xfce4-panel -q", shell=t
2 src/xfce/DatetimeManager.py 62 subprocess.run with shell=True subprocess.run("xfce4-panel &", shell=True path, "w") as file: file.write(configfiledata) subprocess.run("xfce4-panel &", shell=tr
3 tr.org.pardus.xfce-tweaks.policy 20 auth_admin_keep policy auth_admin_keep ow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> </def

PoC Scripts

  • test_all.py — Confirms 11 vulnerability types with working PoCs
  • test_priv_esc.py — Demonstrates 8 privilege escalation paths

Raw Data

  • reports/scan_results.json — All 315 findings in JSON format

Generated by PARDUS-VULN-DB scanner


PRIVILEGE ESCALATION FINDINGS

PE-1: pkexec Policy 'yes' — NO AUTHENTICATION REQUIRED

These polkit policies use <allow_active>yes</allow_active> meaning ANY process (even unprivileged) can run these actions as root WITHOUT any password.

# Package Action ID File What Runs as Root
1 pardus-software tr.org.pardus.pkexec.pardus-software-autoaptupdateaction tr.org.pardus.pkexec.pardus-software.policy:43 AutoAptUpdate.py — apt update
2 pardus-update tr.org.pardus.pkexec.pardus-update-aptupdateaction tr.org.pardus.pkexec.pardus-update.policy:31 AutoAptUpdate.py — apt update
3 pardus-update tr.org.pardus.pkexec.pardus-update-settingswrite tr.org.pardus.pkexec.pardus-update.policy:45 SystemSettingsWrite.py — root file write
4 pardus-about tr.org.pardus.pkexec.pardus-about.system_info tr.org.pardus.pkexec.pardus-about.policy:31 Actions.py — ACPI/system commands
5 pardus-power-manager-old ppm.policy:10 main.py — Full GUI as root

Exploit (if packages installed):

# No password prompt — runs as root immediately
pkexec /usr/share/pardus/pardus-software/src/AutoAptUpdate.py

PE-2: pkexec Policy 'auth_self_keep' — ANY USER Can Escalate

These policies allow ANY authenticated user (not just admins) to run code as root.

# Package Policy File Risk
6 pardus-domain-joiner tr.org.pardus.pkexec.domain-joiner.policy os.kill(pid, SIGKILL) as root — kill init/PID 1
7 eta-otp-lock tr.org.etap.otp-settings.policy write to system files as root

Exploit:

# Any user with a password can kill init:
pkexec /usr/share/pardus/pardus-domain-joiner/src/Actions.py cancel 1

PE-3: pkexec 'kill' — Arbitrary PID Kill as Root

These policies allow running /usr/bin/kill as root with any PID.

# Package Policy Executable
8 pardus-image-writer tr.org.pardus.pkexec.pardus-image-writer-kill /usr/bin/kill
9 pardus-usb-formatter tr.org.pardus.pkexec.pardus-usb-formatter-kill /usr/bin/kill

Exploit:

pkexec kill -SIGTERM 1   # Kill init as root

PE-4: TOCTOU Race — /etc/fstab Overwrite via Symlink

  • Package: pardus-mycomputer
  • File: DiskManager.py:89-92
  • Attack: Unprivileged process writes to /tmp/fstab.tmp, then calls pkexec mv /tmp/fstab.tmp /etc/fstab
  • Race: Attacker replaces /tmp/fstab.tmp with symlink to /etc/sudoers between write and mv
  • Result: Root-owned file overwrite

PE-5: Misleading Script Name — 'Brightness.py' adds user to sudo

  • Package: pardus-power-manager
  • File: Brightness.py:14-18
  • Code: subprocess.call(["adduser", user, group])
  • Social engineering: Admin thinks they're adjusting brightness but actually adds attacker to sudo group

PE-6: Password Leak via /tmp/.passwd

  • Package: pardus-installer
  • File: service.py:29-33
  • Code: open("/tmp/.passwd", "w") → write password → chpasswdrm -f
  • Race: Attacker reads /tmp/.passwd before deletion

PE-7: World-Writable FIFO /run/ppm

  • Package: pardus-power-manager-advanced
  • File: util.py:9-10
  • Code: os.mkfifo("/run/ppm") with os.chmod("/run/ppm", 0o222)
  • Impact: Any local user writes JSON commands to root service

PE-8: Domain Joiner — Arbitrary Code as Root

  • Package: pardus-domain-joiner
  • File: Actions.py:64
  • Code: os.kill(int(sys.argv[2]), signal.SIGKILL) — kill ANY PID as root
  • Impact: Denial of service (kill init) or kill security processes

PE-9: OTP Lock — Root File Write

  • Package: eta-otp-lock
  • File: actions.py:27-32
  • Code: save(user, sys.argv[2]) writes to /etc/otp-secrets.json as root
  • Impact: Write arbitrary JSON to system file as root

PE-10: Parental Control — Insecure DBus Service

  • Package: pardus-parental-control
  • File: dbus/tr.org.pardus.parental-control.conf
  • Service: PPCDaemon.py runs as root via D-Bus
  • Risk: D-Bus interface allows unprivileged callers limited access

PRIVILEGE ESCALATION SUMMARY

# Path Auth Required Impact
1 pkexec AutoAptUpdate NONE Root command execution
2 pkexec system_info NONE (active) Root command execution
3 pkexec power-manager-old NONE Root GUI
4 pkexec domain-joiner Any user Arbitrary PID kill
5 pkexec eta-otp-lock Any user Root file write
6 pkexec kill Admin Denial of service
7 Symlink TOCTOU Admin Root file overwrite
8 Brightness.py adduser Admin Group escalation → root
9 /tmp/.passwd leak Race condition Password disclosure
10 /run/ppm FIFO None (world-writable) Service manipulation

ALL 315 FINDINGS

(See above for complete listing organized by repo)

About

Pardus 58 repo guvenlik testi

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors