Comment 0 for bug 194166

Binary package hint: update-manager

gksu is called without giving the full path. An application that has normal user rights could use this for an elevation of privilege by modifying the PATH variable. After it modifies the PATH variable to point to a location where it holds a custom gksu script it has just to wait for the the next Ubuntu update in order to run with root privileges.

The code for this is in UpdateManager.py, run_synaptic function, line 697 on version 0.81.2:
cmd = ["gksu", "--desktop", "/usr/share/applications/update-manager.desktop",

Found in:
  Ubuntu 7.10
  Package: update-manager v. 0.81.2