Re: [SECURITY] [DSA 1465-1] New apt-listchanges packages fix arbitrary code execution

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1465-1] New apt-listchanges packages fix arbitrary code execution
From: Philipp Kern <pkern@debian.org>
Date: Thu, 17 Jan 2008 16:35:47 +0100
Message-id: <[🔎] 20080117153547.GA12756@durotan.0x539.de>
In-reply-to: <20080117143845.GA4688@steve.org.uk>
References: <20080117143845.GA4688@steve.org.uk>

On Thu, Jan 17, 2008 at 02:38:45PM +0000, Steve Kemp wrote:
> Felipe Sateler discovered that apt-listchanges, a package change history
> notification tool, used unsafe paths when importing its python libraries.
> This could allow the execution of arbitary shell commands if the root user
> executed the command in a directory which other local users may write
> to.

Still that breaks because os is not imported.  Please fix.  Quickly.

Kind regards,
Philipp Kern
-- 
 .''`.  Philipp Kern                             Debian Developer
: :' :  http://philkern.de                       Debian Release Assistant
`. `'   xmpp:phil@0x539.de                       Ubuntu MOTU
  `-    finger pkern/key@db.debian.org

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 1465-1] New apt-listchanges packages fix arbitrary code execution
  - From: Steve Kemp <skx@debian.org>

Prev by Date: Re: How about carrying this list on gmane?
Next by Date: Re: How about carrying this list on gmane?
Previous by thread: Re: How about carrying this list on gmane?
Next by thread: Re: [SECURITY] [DSA 1465-1] New apt-listchanges packages fix arbitrary code execution
Index(es):
- Date
- Thread