Bug#501959: chm2pdf: Major security (temporary dirs) problems

2008-10-11 Thread Karol Lewandowski 
Package: chm2pdf
Version: 0.9-2
Severity: grave
Justification: causes non-serious data loss

There are several problems with this package:

1. chm2pdf creates /tmp/chm2pdf/{orig,work}/X directories.  
   (Where X is file basename, foo for foo.chm).

   This makes script unusable for other users, i.e. userA runs chm2pdf
   which creates /tmp/chm2pdf with userA owner, userB has no chance to
   create files there


2. Malicious user could prepare directory structure which upon chm2pdf
   execution could cause serious data loss.

from /usr/bin/chm2pdf:

 CHM2PDF_TEMP_WORK_DIR='/tmp/chm2pdf/work' 
 CHM2PDF_TEMP_ORIG_DIR='/tmp/chm2pdf/orig'
...
 CHM2PDF_WORK_DIR = CHM2PDF_TEMP_WORK_DIR + os.sep + basename
 CHM2PDF_ORIG_DIR = CHM2PDF_TEMP_ORIG_DIR + os.sep + basename
...
 os.system('rm -r '+CHM2PDF_ORIG_DIR+'/*')
 os.system('rm -r '+CHM2PDF_WORK_DIR+'/*')
.

Malicious user could do e.g.

malicious$ mkdir /tmp/chm2pdf/{orig,work}
malicious$ cd /tmp/chm2pdf/orig
malicious$ for f in `find /home/victim/ -iname \*.chm -print`; do
 ln -s /home/victim/ `basename ${f%%.chm}`
 done

And ask user victim to convert any of his own .chm files.


Thanks.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.27-rc7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages chm2pdf depends on:
ii  htmldoc 1.8.27-3 HTML processor that generates inde
ii  libchm-bin  2:0.39-9 library for dealing with Microsoft
ii  python  2.5.2-2  An interactive high-level object-o
ii  python-chm  0.8.4-0.1+b1 Python binding for CHMLIB
ii  python-support  0.8.4automated rebuilding support for P

chm2pdf recommends no packages.

chm2pdf suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#399426: secpolicy: broken and/or useless

2006-11-19 Thread Karol Lewandowski 
Package: secpolicy
Version: 4:3.5.5-1
Severity: grave
Justification: renders package unusable

Secpolicy as provided by kdeadmin is useless.  It displays list of PAM
services on the left (correctly) and... something on the right.
Selecting services in the left panel doesn't have any effect on
contents of right panel.  Right panel displays constantly something
that looks like concatenated contents of /etc/pam.d/*.

Please don't include this package with etch.

Thanks.

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing'), (10, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.19-rc6
Locale: LANG=C, LC_CTYPE=pl_PL (charmap=ISO-8859-2)

Versions of packages secpolicy depends on:
ii  kdelibs4c2a4:3.5.5a.dfsg.1-1 core libraries and binaries for al
ii  libc6  2.3.6.ds1-4   GNU C Library: Shared libraries
ii  libgcc11:4.1.1-19GCC support library
ii  libqt3-mt  3:3.3.7-1 Qt GUI Library (Threaded runtime v
ii  libstdc++6 4.1.1-19  The GNU Standard C++ Library v3

secpolicy recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]