Bug#964366: marked as done (bashtop: insecure use of /tmp)

Fri, 10 Jul 2020 10:36:55 -0700 

Your message dated Fri, 10 Jul 2020 17:33:29 +0000
with message-id <e1jtwtt-000fmk...@fasolo.debian.org>
and subject line Bug#964366: fixed in bashtop 0.9.22-1
has caused the Debian Bug report #964366,
regarding bashtop: insecure use of /tmp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964366: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964366
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: bashtop
Version: 0.9.19-1
Severity: grave
Tags: security
bashtop creates a Python script in /tmp and runs it. But Python adds the directory containing the script to the module search path¹, and /tmp is world-writable, so this in insecure. A local user could plant malicious Python module in /tmp, which would be executed by bashtop. 

Proof of concept:

  $ install -m 644 /path/to/psutil.py /tmp
  $ bashtop
   _______
  < pwned >
   -------
          \   ^__^
           \  (oo)\_______
              (__)\       )\/\
                  ||----w |
                  ||     ||
  Aborted


¹ https://docs.python.org/3/using/cmdline.html#cmdarg-script

-- System Information:
Architecture: i386

Versions of packages bashtop depends on:
ii  bash    5.0-6
ii  gawk    1:5.0.1+dfsg-1
ii  procps  2:3.3.16-5

Versions of packages bashtop recommends:
ii  lm-sensors      1:3.6.0-2
un  sysstat         <none>
ii  python3-psutil  5.7.0-1
ii  curl            7.68.0-1

--
Jakub Wilk

import os; os.system('(tput reset && cowsay pwned) >/dev/tty; kill -ABRT %s' % os.getppid())

--- End Message ---
--- Begin Message --- 
Source: bashtop
Source-Version: 0.9.22-1
Done: =?utf-8?q?Dylan_A=C3=AFssi?= <dai...@debian.org>

We believe that the bug you reported is fixed in the latest version of
bashtop, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 964...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dylan Aïssi <dai...@debian.org> (supplier of updated bashtop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 10 Jul 2020 19:02:52 +0200
Source: bashtop
Architecture: source
Version: 0.9.22-1
Distribution: unstable
Urgency: high
Maintainer: Dylan Aïssi <dai...@debian.org>
Changed-By: Dylan Aïssi <dai...@debian.org>
Closes: 964366 964788
Changes:
 bashtop (0.9.22-1) unstable; urgency=high
 .
   * New upstream version
      Fix security issues (Closes: #964366, #964788)
Checksums-Sha1:
 e0115099f7443ff5c9c84ce044f349ca3ee043bf 1837 bashtop_0.9.22-1.dsc
 b5f9447fb5d862e08d2286233a21fcdae443f26b 443660 bashtop_0.9.22.orig.tar.gz
 8e03ce1727edbdd4f07ef2797a44bad8e6a79a36 2228 bashtop_0.9.22-1.debian.tar.xz
 6932939d81bc2de91d223e350254f102c0bf4bb9 5311 bashtop_0.9.22-1_amd64.buildinfo
Checksums-Sha256:
 147e57d1f98ea263e84368ee2ac1450f41954ef18f954c5b3b5b200f5950936e 1837 
bashtop_0.9.22-1.dsc
 70fb6e242423b94ac96719be224a37ba8b09574df8ff19d2f27ed8de9b421d34 443660 
bashtop_0.9.22.orig.tar.gz
 90f90006ed4efd33cc3de006069512c07ec86cb18d5b47601df53ab996580e3d 2228 
bashtop_0.9.22-1.debian.tar.xz
 cd1fd95d6ea2424152978d226d51ca23679261d05b4680c7f403e420890e465e 5311 
bashtop_0.9.22-1_amd64.buildinfo
Files:
 d13daa3b2392f4deed0a7328858e2b7d 1837 utils optional bashtop_0.9.22-1.dsc
 b5758ad3102b955657ecb472bd3c81b4 443660 utils optional 
bashtop_0.9.22.orig.tar.gz
 a940f8d052cc26bb0f32bf39f7a6f689 2228 utils optional 
bashtop_0.9.22-1.debian.tar.xz
 cde75ba0eb10c4bb1d98b984ccef69b2 5311 utils optional 
bashtop_0.9.22-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAl8IobgACgkQYS7xYT4F
D1SolxAAhwHLvG01NneTnUf+x0UgRbfh05eEYgik4HIBN70umhtgU4XQfnME0yfN
JqBvHrBeUHsIBxKYH1e8k05V+52UulraRBseHMC6iz5eQre3OVB9Wj1y99n5hcH1
b9pqy84xcrxPt5ww/2xHnIAjDiqIhQYSvl0+Cwt4y3U99SQN3bovCKX1VUMF4iBy
CyG4uKbJvx/Lmd+AWnS3b8xdfM3SRvCBiUMKmN7s6MD04MatfPwBC5Q34mo6C0Sg
hRtkfkkt5zpnly8Ccd1Kl12bO0x968mdHKqfJ88bfILGfRbctabOuBIlIr9NB8G3
Gh1HctmzKDdOGZBQTjiXWe8BoQKppo5WifBXnjEzi3SH4UOpC+Ms5aJ9JpzWd+Zv
2zXYSHH/cIJwASE2zQJnCx+UwrQ/r4FbTAPO1jxFZpB0lAdQum7IM+NWAWvjGrVb
MMCPxfPAFoB10El0U3jwbHGk/WUPL+UJgRuEP3HxCy+DlkSm5uG3GQqex2SV943y
xpHV/jBe9+FWn6JKrA6kzy3C2UlkmzNJqLuGGv5UNE0Ww3TR/23Liapvzk2FqOKJ
Pa1s0ytgkGmKfENGEuwEhM/TOIVSiOPfeOQiMABSQRDmurfN/9ADFUmkhkP1JHaS
dCdG7Fz3ESpehgwVee3/EYYMHfRw7pDVQSL6/Smjn9IB/XmIXmQ=
=kElw
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to