[Secure-testing-team] Bug#837534: apt-listchanges: postinst runs a Python script out of /tmp/
Raphaël Hertzog
hertzog at debian.org
Mon Sep 12 09:35:00 UTC 2016
Package: apt-listchanges
Version: 3.3
Severity: critical
Tags: security
The postinst script runs a Python script that it creates in /tmp/.
Unfortunately python will add the directory where the script resides
to sys.path and all the imports will be thus resolved in that
directory.
A simple user could create "/tmp/debconf.py" for example and have
his code executed by root the next time that apt-listchanges
is upgraded/configured.
(cf recent discussion in debian-devel, https://lists.debian.org/87twdq4cqx.fsf@hope.eyrie.org)
You should thus create that temporary file in a root-owned
directory which is specific to apt-listchanges.
You should also review whether that issue needs to be fixed in
stable/oldstable...
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apt-listchanges depends on:
ii apt 1.3~rc4
ii debconf [debconf-2.0] 1.5.59
ii debianutils 4.8
ii python3-apt 1.1.0~beta5
pn python3:any <none>
ii ucf 3.0036
apt-listchanges recommends no packages.
Versions of packages apt-listchanges suggests:
ii chromium [www-browser] 53.0.2785.92-2
ii eterm [x-terminal-emulator] 0.9.6-4
ii firefox-esr [www-browser] 45.3.0esr-2
ii gnome-terminal [x-terminal-emulator] 3.21.90-3
ii lynx [www-browser] 2.8.9dev9-1
ii postfix [mail-transport-agent] 3.1.0-5+b1
ii python3-gi 3.21.91-2
ii terminator [x-terminal-emulator] 0.98-1
ii w3m [www-browser] 0.5.3-29
ii xterm [x-terminal-emulator] 325-1
-- debconf information excluded
More information about the Secure-testing-team
mailing list