Package: bashtop
Version: 0.9.20-1
Tags: security
(This is similar to #964366, but less severe.)
bashtop runs
python3 -c "import psutil"
to check if the psutil module is available.
But when you use -c, Python adds the current working directory to the
module search path¹. As consequence, you can't run bashtop securely when
your cwd is untrusted (e.g. /tmp).
I suggest changing the command in question to:
(cd / && python3 -c "import psutil")
¹ https://docs.python.org/3/using/cmdline.html#cmdoption-c
-- System Information:
Architecture: i386
Versions of packages bashtop depends on:
ii bash 5.0-6
ii gawk 1:5.0.1+dfsg-1
ii procps 2:3.3.16-5
Versions of packages bashtop recommends:
ii lm-sensors 1:3.6.0-2
un sysstat <none>
ii python3-psutil 5.7.0-1
ii curl 7.68.0-1
--
Jakub Wilk
