[Gutsy] postinst script allows to take over arbitray files

Binary package hint: hplip

This part of the postinst script included in at least Ubuntu Gutsy (hplip/2.7.7.dfsg.1-0ubuntu5.2) allows users to take over ownership of arbitrary files located on the the filesystem as $HOME:

        # Correct ownership of personal HPLIP config files of the users
        # (in older HPLIP versions hp-setup created these files with root
        # permissions and made hp-toolbox crashing)
        for line in `cat /etc/passwd | sed -e 's/ //g'`; do
                user=`echo $line | cut -d : -f 1`;
                homedir=`echo $line | cut -d : -f 6`;
                [ -d $homedir ] && \
                    find $homedir -maxdepth 1 -not -user $user -name .hplip* \
                    -exec chown $user '{}' \; 2>/dev/null || :
        done

How to reproduce:
 * create a hard link to /bin/bash named ~/.hplip-foo
 * wait for sysadmin to install/update hplip
 * /bin/bash is owned by $user

Also, this part of the script fails for users with $HOME on a network file system that root cannot access (which is why I noticed the problem).

The postinst script has been fixed in a later release (see #191299), but this security issue still affects (at least) Ubuntu Gutsy.

Regards,
Ansgar