Package: reportbug-ng Version: 0.2008.03.28 Severity: grave Tags: security Hiho, reportbug-ng is vulnerable of arbitrary code execution because it adds os.curdir to sys.path before checking for modules files in the shared directory:
24 sys.path = sys.path + [os.curdir, '/usr/share/reportbug-ng']
This gives potential attackers the possibility to write
malicious reportbug-ng modules and spread them through some
directories. For example:
[EMAIL PROTECTED]:/tmp$] cat > ui.py
print 'doing some malicious stuff here'
raise 'foobar'
[EMAIL PROTECTED]:/tmp$] reportbug-ng somepackage
doing some malicious stuff here
./ui.py:2: DeprecationWarning: raising a string exception is deprecated
raise 'foobar'
Traceback (most recent call last):
File "/usr/bin/reportbug-ng", line 26, in <module>
from ui.MyMainWindow import MyMainWindow
File "./ui.py", line 2, in <module>
raise 'foobar'
foobar
I suggest removing os.curdir from sys.path or changing the order of
/usr/share/reportbug-ng
and os.curdir as I doubt you are loading modules that are not installed :)
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpwhNXxHJ0rD.pgp
Description: PGP signature
