[Reportbug-maint] Bug#484311: reportbug adds os.curdir to sys.path
Chris Lawrence
lordsutch at gmail.com
Wed Jun 4 14:53:51 UTC 2008
Per my vac message if you guys can put together a quick release in the
next day or so that would be great. It will otherwise be Tuesday at
the earliest. Chris.
On 6/4/08, Thijs Kinkhorst <thijs at debian.org> wrote:
> On Wed, June 4, 2008 14:27, Thomas Arendsen Hein wrote:
>> I encountered this bug in the real world: I extracted a tarball
>> which contained a file named token.py, then I wanted to report a problem
>> and therefore started reportbug.
>>
>> This tarball did not contain harmful code, but as I did not verify
>> it before (because I did not intend to execute parts of it), it could have
>> been harmful.
>>
>> And of course there is /tmp as mentioned by Nico Golde.
>
> That it can happen by accident does not mean that it is easy to explicitly
> exploit. I still believe that those chances are small enough to not
> consider an update to stable (needs local malicious user, needs victim
> user to run reportbug in exactly the right dir, and only then provides
> access to "just" the user account).
>
> If the maintainer wants to provide an update through a stable point update
> that is of course fine.
>
>
> Thijs
>
>
>
>
--
Sent from Gmail for mobile | mobile.google.com
Christopher N. Lawrence, Ph.D. <clawren at tulane.edu>
Visiting Assistant Professor of Political Science
Tulane University
309 Norman Mayer Building
New Orleans, Louisiana 70118-5698
Website: http://www.cnlawrence.com/
More information about the Reportbug-maint
mailing list