Bug#484311: reportbug adds os.curdir to sys.path

2008-06-04 Thread Sandro Tosi
> please also fix: > > diff -Nru reportbug-3.40/checks/compare_pseudo-pkgs_lists.py > reportbug-3.40+nmu1/checks/compare_pseudo-pkgs_lists.py > --- reportbug-3.40/checks/compare_pseudo-pkgs_lists.py 2008-05-22 > 03:21:42.0 +0200 > +++ reportbug-3.40+nmu1/checks/compare_pseudo-pkgs_lists.

Bug#484311: reportbug adds os.curdir to sys.path

2008-06-04 Thread Nico Golde
Hi, please also fix: diff -Nru reportbug-3.40/checks/compare_pseudo-pkgs_lists.py reportbug-3.40+nmu1/checks/compare_pseudo-pkgs_lists.py --- reportbug-3.40/checks/compare_pseudo-pkgs_lists.py 2008-05-22 03:21:42.0 +0200 +++ reportbug-3.40+nmu1/checks/compare_pseudo-pkgs_lists.py 20

Bug#484311: reportbug adds os.curdir to sys.path

2008-06-04 Thread Nico Golde
Hi Thijs, * Thijs Kinkhorst <[EMAIL PROTECTED]> [2008-06-04 14:14]: > On Wed, June 4, 2008 13:14, Nico Golde wrote: > > I agree that it is of a low impact but I disagree that this > > is not a security issue, people are using reportbug in /tmp and I don't see > > a reason to assume people are not d

Bug#484311: reportbug adds os.curdir to sys.path

2008-06-04 Thread Chris Lawrence
Per my vac message if you guys can put together a quick release in the next day or so that would be great. It will otherwise be Tuesday at the earliest. Chris. On 6/4/08, Thijs Kinkhorst <[EMAIL PROTECTED]> wrote: > On Wed, June 4, 2008 14:27, Thomas Arendsen Hein wrote: >> I encountered this bug

Bug#484311: reportbug adds os.curdir to sys.path

2008-06-04 Thread Thijs Kinkhorst
On Wed, June 4, 2008 14:27, Thomas Arendsen Hein wrote: > I encountered this bug in the real world: I extracted a tarball > which contained a file named token.py, then I wanted to report a problem > and therefore started reportbug. > > This tarball did not contain harmful code, but as I did not ver

Bug#484311: reportbug adds os.curdir to sys.path

2008-06-04 Thread Thomas Arendsen Hein
* Thijs Kinkhorst <[EMAIL PROTECTED]> [20080604 14:13]: > On Wed, June 4, 2008 13:14, Nico Golde wrote: > > I agree that it is of a low impact but I disagree that this > > is not a security issue, people are using reportbug in /tmp and I don't see > > a reason to assume people are not doing that. >

Bug#484311: reportbug adds os.curdir to sys.path

2008-06-04 Thread Thijs Kinkhorst
On Wed, June 4, 2008 13:14, Nico Golde wrote: > I agree that it is of a low impact but I disagree that this > is not a security issue, people are using reportbug in /tmp and I don't see > a reason to assume people are not doing that. The chance of succesful exploitation still seems very small, and

Processed: Re: Bug#484311: reportbug adds os.curdir to sys.path

2008-06-04 Thread Debian Bug Tracking System
Processing commands for [EMAIL PROTECTED]: > # Bcc: control > tags 484311 + patch Bug#484311: reportbug adds os.curdir to sys.path Tags were: security Tags added: patch > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system admi

Bug#484311: reportbug adds os.curdir to sys.path

2008-06-04 Thread Y Giridhar Appaji Nag
# Bcc: control tags 484311 + patch thanks On 08/06/04 16:51 +0530, Y Giridhar Appaji Nag said ... > Chris, can you confirm that this is case? We can remove os.curdir or add it > as the last entry in sys.path. > > As an aside, I noticed that /usr/share/reportbug is added to sys.path once > again

Bug#484311: reportbug adds os.curdir to sys.path

2008-06-04 Thread Sandro Tosi
Hi all, >> > sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path >> > >> > To "exploit": >> > $ echo 'raise "FOO"' > token.py >> > $ reportbug >> >> Can you explain how this is a practical user security hole? Your exploit >> shows how to "exploit yourself", but it seems very unlikely to me t

Bug#484311: reportbug adds os.curdir to sys.path

2008-06-04 Thread Y Giridhar Appaji Nag
On 08/06/03 18:26 +0200, Thomas Arendsen Hein said ... > sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path It looks like os.curdir has been added to sys.path only for temporary debugging purposes (code modified in local directory and wanting to test it without installing reportbug). Chris

Bug#484311: reportbug adds os.curdir to sys.path

2008-06-04 Thread Nico Golde
Hi Thijs, * Thijs Kinkhorst <[EMAIL PROTECTED]> [2008-06-04 12:52]: > On Tue, June 3, 2008 18:26, Thomas Arendsen Hein wrote: > > Package: reportbug > > Version: 3.31 > > Severity: grave > > Tags: security > > Justification: user security hole > > > > > > sys.path = [os.curdir, '/usr/share/reportbu

Bug#484311: reportbug adds os.curdir to sys.path

2008-06-04 Thread Thijs Kinkhorst
Hi, On Tue, June 3, 2008 18:26, Thomas Arendsen Hein wrote: > Package: reportbug > Version: 3.31 > Severity: grave > Tags: security > Justification: user security hole > > > sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path > > To "exploit": > $ echo 'raise "FOO"' > token.py > $ reportbug

Bug#484311: reportbug adds os.curdir to sys.path

2008-06-04 Thread Nico Golde
Hi Thomas, * Thomas Arendsen Hein <[EMAIL PROTECTED]> [2008-06-03 18:51]: [...] > sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path > > To "exploit": [...] Please use CVE-2008-2230 if you fix this bug and reference this CVE id in the changelog when closing the bug. Cheers Nico -- Nico

Bug#484311: reportbug adds os.curdir to sys.path

2008-06-03 Thread Thomas Arendsen Hein
Package: reportbug Version: 3.31 Severity: grave Tags: security Justification: user security hole sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path To "exploit": $ echo 'raise "FOO"' > token.py $ reportbug Traceback (most recent call last): File "/usr/bin/reportbug", line 39, in ?