Package:backintime-qt4
Version:1.1.12-2
~/RPG/Mine/Traveller/Traveller_USB $ backintime-qt4 &
[1] 326
~/RPG/Mine/Traveller/Traveller_USB $ sh: 0: getcwd() failed: No such file
or directory
sh: 0: getcwd() failed: No such file or directory
Traceback (most recent call last):
File "/usr/share/backintime/qt4/app.py", line 46, in <module>
import snapshotsdialog
File "/usr/share/backintime/qt4/snapshotsdialog.py", line 32, in <module>
if tools.check_command('meld'):
File "/usr/share/backintime/common/tools.py", line 167, in check_command
return not which(cmd) is None
File "/usr/share/backintime/common/tools.py", line 173, in which
path.insert(0, os.getcwd())
FileNotFoundError: [Errno 2] No such file or directory
[1]+ Exit 1 backintime-qt4
I'm not going to trying to set up a proof-of-concept security hole with
this, but it seems quite obvious that backintime-qt4 should not insert the
current directory into the path for the same reasons that you don't insert
the current directory into the path in bash. All a user has to do is insert
the right executables into the current directory and then convince the
admin to run backintime-qt4 from that directory (and the social part of
that exploit seems simple enough).
If nothing else, getting a backtrace from a program is bad, and this would
leave a non-programmer utterly baffled about what went wrong.
