[Gutsy] postinst script allows to take over arbitray files

Bug #302490 reported by Ansgar Burchardt
This bug affects 1 person
Affects Status Importance Assigned to Milestone
hplip (Ubuntu)

Bug Description

Binary package hint: hplip

This part of the postinst script included in at least Ubuntu Gutsy (hplip/2.7.7.dfsg.1-0ubuntu5.2) allows users to take over ownership of arbitrary files located on the the filesystem as $HOME:

        # Correct ownership of personal HPLIP config files of the users
        # (in older HPLIP versions hp-setup created these files with root
        # permissions and made hp-toolbox crashing)
        for line in `cat /etc/passwd | sed -e 's/ //g'`; do
                user=`echo $line | cut -d : -f 1`;
                homedir=`echo $line | cut -d : -f 6`;
                [ -d $homedir ] && \
                    find $homedir -maxdepth 1 -not -user $user -name .hplip* \
                    -exec chown $user '{}' \; 2>/dev/null || :

How to reproduce:
 * create a hard link to /bin/bash named ~/.hplip-foo
 * wait for sysadmin to install/update hplip
 * /bin/bash is owned by $user

Also, this part of the script fails for users with $HOME on a network file system that root cannot access (which is why I noticed the problem).

The postinst script has been fixed in a later release (see #191299), but this security issue still affects (at least) Ubuntu Gutsy.


To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.