where to submit low security vulnerability in .profile?

To: debian-user@lists.debian.org
Subject: where to submit low security vulnerability in .profile?
From: David Bunch <depb@posteo.net>
Date: Sun, 18 Jun 2017 06:56:07 +0200
Message-id: <[🔎] 20170618045606.7f62osvgoyixtoij@x200.davidebunch.org>

Hi,

I'm not sure where or how or even if i should submit a bug small security 
vulnerability in the default .profile that is created in each users home 
directory. 

.profile searches for a ~/bin directory and if it finds it prepends it to
PATH like so: PATH='$HOME/bin':$PATH

This could be a potential security vulnerability because if the user account
of a uesr with 'su' power, an attacker could place a malicious 'su', 'ls', 
and 'which' in their ~/bin directory which could give an attacker the root
password when the user runs the 'su' command.  

A safer configuration would be PATH=$PATH:'$HOME/bin'.
This way if malicious copies of systems programs were placed in the user's
~/bin directory the uncompromised system copies would be still be run.

Kind regards,
-David Bunch

Reply to:

Follow-Ups:
- Re: where to submit low security vulnerability in .profile?
  - From: Nicolas George <george@nsup.org>
- Re: where to submit low security vulnerability in .profile?
  - From: RavenLX <ravenlx@sitesplace.net>
- Re: where to submit low security vulnerability in .profile?
  - From: Greg Wooledge <wooledg@eeg.ccf.org>

Prev by Date: Wired Network Bridging for Xen
Next by Date: Re: Debian 9 - Stretch has been released!
Previous by thread: Wired Network Bridging for Xen
Next by thread: Re: where to submit low security vulnerability in .profile?
Index(es):
- Date
- Thread