Bug#503129: dput: the Python script in postinst could possibly be intercepted on a multiuser system

Wed, 22 Oct 2008 12:14:59 -0700 

Package: dput
Version: 0.9.2.35
Severity: normal

There's a (admittedly very small) chance that the Python script in
postinst can be intercepted by an unprivileged user on a multiuser
system, if the postinst script happens to be executed from a directory
where that user has write access. This is because when a script is
specified with the -c argument of the Python interpreter is run, it
will first search for modules in the working directory.

For example, suppose I create the file compileall.py with the following
contents in the current working directory:

def main():
  print "Hello"

Then, invoking "sudo dpkg-reconfigure dput" from the same directory
will give the output "Hello". Though perhaps this could be considered
an user error, since dpkg is invoked from an "untrusted" directory.
Anyhow, the following patch simply suggests to change to a directory
that is known to be safe before invoking the script.

--- a/debian/postinst   2008-09-22 18:01:17.000000000 +0000
+++ b/debian/postinst   2008-10-21 22:05:00.000000000 +0000
@@ -4,6 +4,7 @@
 
 case "$1" in
        configure|abort-upgrade|abort-remove|abort-deconfigure)
+               cd $DIR
                python -c 'import sys, compileall ; exit_status = int(not 
compileall.main()); sys.exit(exit_status)' -q $DIR
        ;;
        *)

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages dput depends on:
ii  gnupg                         1.4.9-3    GNU privacy guard - a free PGP rep
ii  python                        2.5.2-2    An interactive high-level object-o

dput recommends no packages.

Versions of packages dput suggests:
ii  lintian                       2.0.0      Debian package checker
ii  mini-dinstall                 0.6.25     daemon for updating Debian package
ii  openssh-client                1:5.1p1-3  secure shell client, an rlogin/rsh
ii  rsync                         3.0.4-3    fast remote file copy program (lik
pn  yaclc                         <none>     (no description available)

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to