[Gutsy] postinst script allows to take over arbitray files
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
hplip (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: hplip
This part of the postinst script included in at least Ubuntu Gutsy (hplip/
# Correct ownership of personal HPLIP config files of the users
# (in older HPLIP versions hp-setup created these files with root
# permissions and made hp-toolbox crashing)
for line in `cat /etc/passwd | sed -e 's/ //g'`; do
[ -d $homedir ] && \
done
How to reproduce:
* create a hard link to /bin/bash named ~/.hplip-foo
* wait for sysadmin to install/update hplip
* /bin/bash is owned by $user
Also, this part of the script fails for users with $HOME on a network file system that root cannot access (which is why I noticed the problem).
The postinst script has been fixed in a later release (see #191299), but this security issue still affects (at least) Ubuntu Gutsy.
Regards,
Ansgar