Bug#484474: marked as done ([reportbug-ng] code execution by preparing module files in os.curdir)

[Debian Bug Tracking System]

Your message dated Wed, 04 Jun 2008 20:47:17 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#484474: fixed in reportbug-ng 0.2008.06.04
has caused the Debian Bug report #484474,
regarding [reportbug-ng] code execution by preparing module files in os.curdir
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
484474: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484474
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: reportbug-ng
Version: 0.2008.03.28
Severity: grave
Tags: security

Hiho,
reportbug-ng is vulnerable of arbitrary code execution 
because it adds os.curdir to sys.path before checking for 
modules files in the shared directory:

     24 sys.path = sys.path + [os.curdir, '/usr/share/reportbug-ng']

This gives potential attackers the possibility to write 
malicious reportbug-ng modules and spread them through some 
directories. For example:
[EMAIL PROTECTED]:/tmp$] cat > ui.py
print 'doing some malicious stuff here'
raise 'foobar'
[EMAIL PROTECTED]:/tmp$] reportbug-ng somepackage
doing some malicious stuff here
./ui.py:2: DeprecationWarning: raising a string exception is deprecated
  raise 'foobar'
Traceback (most recent call last):
  File "/usr/bin/reportbug-ng", line 26, in <module>
    from ui.MyMainWindow import MyMainWindow
  File "./ui.py", line 2, in <module>
    raise 'foobar'
foobar

I suggest removing os.curdir from sys.path or changing the order of 
/usr/share/reportbug-ng
and os.curdir as I doubt you are loading modules that are not installed :)

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

pgpKjhmGecooS.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: reportbug-ng
Source-Version: 0.2008.06.04

We believe that the bug you reported is fixed in the latest version of
reportbug-ng, which is due to be installed in the Debian FTP archive:

reportbug-ng_0.2008.06.04.dsc
  to pool/main/r/reportbug-ng/reportbug-ng_0.2008.06.04.dsc
reportbug-ng_0.2008.06.04.tar.gz
  to pool/main/r/reportbug-ng/reportbug-ng_0.2008.06.04.tar.gz
reportbug-ng_0.2008.06.04_all.deb
  to pool/main/r/reportbug-ng/reportbug-ng_0.2008.06.04_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Venthur <[EMAIL PROTECTED]> (supplier of updated reportbug-ng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed,  4 Jun 2008 20:23:13 +0200
Source: reportbug-ng
Binary: reportbug-ng
Architecture: source all
Version: 0.2008.06.04
Distribution: unstable
Urgency: high
Maintainer: Bastian Venthur <[EMAIL PROTECTED]>
Changed-By: Bastian Venthur <[EMAIL PROTECTED]>
Description: 
 reportbug-ng - An easy to use alternative to Debian's classic reportbug
Closes: 484474
Changes: 
 reportbug-ng (0.2008.06.04) unstable; urgency=high
 .
   * Fixed possible code execution by preparing module files in os.curdir
     (Closes: #484474)
Checksums-Sha1: 
 5ce869618053d719bd568bc4d3d052f6816f8b2b 907 reportbug-ng_0.2008.06.04.dsc
 ee0551ba3d0e1b3be4de95316bf88d51f7505118 83283 reportbug-ng_0.2008.06.04.tar.gz
 50445cab429f1cdd97b8bc9611d98247e42fdced 80810 
reportbug-ng_0.2008.06.04_all.deb
Checksums-Sha256: 
 9de1b25270976fe30be496289c2ebe908364cbc1e53231aa8d268de897e5d1d5 907 
reportbug-ng_0.2008.06.04.dsc
 9f856ab05cad7820b1d73e820210ad07fb1f0a9d32513ab684996e1dc78e5e05 83283 
reportbug-ng_0.2008.06.04.tar.gz
 d9a490abb3748a8a8b8ebc77fdaa344f79dc3f77c791231b6cb015567dbe4b7d 80810 
reportbug-ng_0.2008.06.04_all.deb
Files: 
 8a680fd41d206da9367fd3eb6ed9eee8 907 utils optional 
reportbug-ng_0.2008.06.04.dsc
 56e257f0e87f20844c6414b827042413 83283 utils optional 
reportbug-ng_0.2008.06.04.tar.gz
 4629587ae8a7a75ea93936737c2dc0d1 80810 utils optional 
reportbug-ng_0.2008.06.04_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkhG/T0ACgkQmj66P/Yfc/g9kgCeOVDHjanAYXnm/i9pIJGBZB4O
SycAoIKQfFJYpFeapdPS85STX7J6EpOG
=Z5dT
-----END PGP SIGNATURE-----

--- End Message ---