Package: xexec
Version: 0.0.3-24
Severity: grave
Tags: security
Justification: user security hole
I've been fixing outstanding GCC 4.3 issues and found this while
looking into the build failure:
--
void Exec::runline()
{
ofstream command_file;
int useless;
command_file.open("/tmp/exec.tmp", ios::out);
/* What we're doing here is saving our command
in a little shell script that will be ran comming
up here. */
command_file
<< "#!/bin/sh\n"
<< cline->text();
/* The fun, object orriented STREAM way of
doing things!! wooohoooo */
command_file.close(); // Finish up.
useless = execlp(SHELL, SHELL, "/tmp/exec.tmp", NULL);
/* Run shell with command line file as script. */
}
--
Symlinking /tmp/exec.tmp to any file writable to the user running
xexec will overwrite that file with
#!/bin/sh
name-of-executed-program
Fortunately xexec is almost useless and with hardly any users,
since the functionality is provided by the desktop equivalents
in KDE, GNOME, xfce or a regular xterm:
Description: Run a simple arbitrary command from X
xexec is a program designed to allow quick and easy access for
running simple command lines. For example, let's say you wanted to
start Netscape, but didn't have it on your window manager's menu. Just
run xexec, and type netscape in the text box, press enter, and there
you have it. It is especially useful for allowing access to any
available command via one primary menu entry.
I'll request archive removal, I don't think we need to waste time with
it. But this is a nice example why we need to be more careful about
fringe packages of poor quality: they don't receive any review
for practical purposes.
This package has been in the archive for ten years and the error
is not exactly hard to find, since the package is ridiculously
small: (the 165 lines even include generated MOC)
SLOC Directory SLOC-by-Language (Sorted)
165 top_dir cpp=165
6 debian sh=6
0 doc (none)
Totals grouped by language (dominant language first):
cpp: 165 (96.49%)
sh: 6 (3.51%)
Cheers,
Moritz
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages xexec depends on:
ii libc6 2.7-9 GNU C Library: Shared libraries
ii libgcc1 1:4.3.0-1 GCC support library
ii libqt3-mt 3:3.3.8b-4 Qt GUI Library (Threaded runtime v
ii libstdc++6 4.3.0-1 The GNU Standard C++ Library v3
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar
xexec recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
