Hi Thijs, * Thijs Kinkhorst <[EMAIL PROTECTED]> [2008-06-04 12:52]: > On Tue, June 3, 2008 18:26, Thomas Arendsen Hein wrote: > > Package: reportbug > > Version: 3.31 > > Severity: grave > > Tags: security > > Justification: user security hole > > > > > > sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path > > > > To "exploit": > > $ echo 'raise "FOO"' > token.py > > $ reportbug > > Can you explain how this is a practical user security hole? Your exploit > shows how to "exploit yourself", but it seems very unlikely to me that an > attacker can > 1) create a file token.py > 2) make sure the user is in that curdir > 3) AND invoke reportbug. > > That seems rather contrived to me.
I agree that it is of a low impact but I disagree that this is not a security issue, people are using reportbug in /tmp and I don't see a reason to assume people are not doing that. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpUWpHg5u7rz.pgp
Description: PGP signature
