Hosting Provided By

Re: [SECURITY] [DSA 1465-1] New apt-listchanges packages fix arbitrary code execution

From: Philipp Kern <pkern(at)debian.org>
Date: Thu Jan 17 2008 - 10:35:47 EST

On Thu, Jan 17, 2008 at 02:38:45PM +0000, Steve Kemp wrote:
> Felipe Sateler discovered that apt-listchanges, a package change history
> notification tool, used unsafe paths when importing its python libraries.
> This could allow the execution of arbitary shell commands if the root user
> executed the command in a directory which other local users may write
> to.

Still that breaks because os is not imported. Please fix. Quickly.

Kind regards,
Philipp Kern

-- 
 .''`.  Philipp Kern                             Debian Developer
: :' :  
http://philkern.de                       Debian Release Assistant
`. `'   xmpp:phil@0x539.de                       Ubuntu MOTU
  `-    finger pkern/key@db.debian.org

-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

application/pgp-signature attachment: Digital signature

Received on Thu Jan 17 10:36:36 2008

This message: [ Message body ]
Next message: Bjørn Mork: "Re: How about carrying this list on gmane?"
Previous message: Johannes Graumann: "Re: How about carrying this list on gmane?"
Next in thread: Steve Kemp: "Re: [SECURITY] [DSA 1465-1] New apt-listchanges packages fix arbitrary code execution"
Reply: Steve Kemp: "Re: [SECURITY] [DSA 1465-1] New apt-listchanges packages fix arbitrary code execution"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:55:16 EDT