[Reportbug-maint] Bug#484311: reportbug adds os.curdir to sys.path

Sandro Tosi matrixhasu at gmail.com
Wed Jun 4 11:30:41 UTC 2008

Hi all,

>> > sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path
>> >
>> > To "exploit":
>> > $ echo 'raise "FOO"' > token.py
>> > $ reportbug
>> Can you explain how this is a practical user security hole? Your exploit
>> shows how to "exploit yourself", but it seems very unlikely to me that an
>> attacker can
>> 1) create a file token.py
>> 2) make sure the user is in that curdir
>> 3) AND invoke reportbug.
>> That seems rather contrived to me.
> I agree that it is of a low impact but I disagree that this
> is not a security issue, people are using reportbug in /tmp
> and I don't see a reason to assume people are not doing
> that.

Thanks a lot for the promptly support! I'm currently at work, with no
svn (+ssh keys) access: once at home I'll prepare an upload for
reportbug fixing this issue; just for reference, I'll remove all
os.curdir from list below:

$ grep sys.path *
querybts:sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path
reportbug:sys.path = ['/usr/share/reportbug'] + sys.path
reportbug:    sys.path.append('/usr/share/reportbug')
reportbug.py:    for d in sys.path:
reportbug_submit.py:sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path
reportbug_submit.py:    sys.path.append('/usr/share/reportbug')


PS: link to CVE: http://security-tracker.debian.net/tracker/CVE-2008-2230

Sandro Tosi (aka morph, Morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi

More information about the Reportbug-maint mailing list