Package: apt-listchanges Version: 3.3 Severity: critical Tags: security The postinst script runs a Python script that it creates in /tmp/.
Unfortunately python will add the directory where the script resides to sys.path and all the imports will be thus resolved in that directory. A simple user could create "/tmp/debconf.py" for example and have his code executed by root the next time that apt-listchanges is upgraded/configured. (cf recent discussion in debian-devel, https://lists.debian.org/87twdq4cqx....@hope.eyrie.org) You should thus create that temporary file in a root-owned directory which is specific to apt-listchanges. You should also review whether that issue needs to be fixed in stable/oldstable... -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt-listchanges depends on: ii apt 1.3~rc4 ii debconf [debconf-2.0] 1.5.59 ii debianutils 4.8 ii python3-apt 1.1.0~beta5 pn python3:any <none> ii ucf 3.0036 apt-listchanges recommends no packages. Versions of packages apt-listchanges suggests: ii chromium [www-browser] 53.0.2785.92-2 ii eterm [x-terminal-emulator] 0.9.6-4 ii firefox-esr [www-browser] 45.3.0esr-2 ii gnome-terminal [x-terminal-emulator] 3.21.90-3 ii lynx [www-browser] 2.8.9dev9-1 ii postfix [mail-transport-agent] 3.1.0-5+b1 ii python3-gi 3.21.91-2 ii terminator [x-terminal-emulator] 0.98-1 ii w3m [www-browser] 0.5.3-29 ii xterm [x-terminal-emulator] 325-1 -- debconf information excluded
