Package: popularity-contest Version: 1.40 Severity: important Tags: security, patch
Hi, The popularity-contest's weekly cron job sets HOME to /tmp before generating the popularity raport. By doing that it tries to avoid dpkg failures on unreadable /root/.dpkg.cfg file. However /tmp is world-writeable, so any user can create /tmp/.dpkg.cfg and make it unreadable for others thus causing dpkg to generate "failed to open config file" warning. Patch: - set HOME to e.g. /nonexistent or - don't pass the `-p' option to su Best Regards, robert -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18 Locale: LANG=pl_PL, LC_CTYPE=pl_PL (charmap=ISO-8859-2) Versions of packages popularity-contest depends on: ii debconf [debconf-2.0] 1.5.13 Debian configuration management sy ii dpkg 1.13.25 package maintenance system for Deb Versions of packages popularity-contest recommends: ii cron 3.0pl1-100 management of regular background p pn mime-construct <none> (no description available) ii postfix [mail-transport-agent 2.3.8-1 A high-performance mail transport -- debconf information: popularity-contest/submiturls: * popularity-contest/participate: true popularity-contest/hostid-failed: * popularity-contest/use-http: false -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
