| 2008-02-24 13:00:31 |
Mihai Varzaru |
description |
Binary package hint: update-manager
gksu is called without giving the full path. An application that has normal user rights could use this for an elevation of privilege by modifying the PATH variable. After it modifies the PATH variable to point to a location where it holds a custom gksu script it has just to wait for the the next Ubuntu update in order to run with root privileges.
The code for this is in UpdateManager.py, run_synaptic function, line 697 on version 0.81.2:
cmd = ["gksu", "--desktop", "/usr/share/applications/update-manager.desktop",
Found in:
Ubuntu 7.10
Package: update-manager v. 0.81.2 |
Binary package hint: update-manager
gksu is called without giving the full path. An application that has normal user rights could use this for an elevation of privilege by modifying the PATH variable. After it modifies the PATH variable to point to a location where it holds a custom gksu script it has just to wait for the the next Ubuntu update in order to run with root privileges.
The code for this is in UpdateManager.py, run_synaptic function, line 697 on version 0.81.2:
cmd = ["gksu", "--desktop", "/usr/share/applications/update-manager.desktop",
Found in:
Ubuntu 7.10
Package: update-manager v. 0.81.2
It is also present in Ubuntu Hardy, update-manager v. 0.87.9. It seems that the problem was introduces in Ubuntu Edgy, update manager v. 0.45.
|
|
