Package: apt-listchanges Version: 2.59-0.2 Severity: wishlist Tags: security
Hi, It's conceivable that a user may be granted sufficient privileges (with sudo for example) to be able to install software, without being granted full root access. To this end, it is preferable that users can't easily gain root access by shelling out of privileged applications. apt-listchanges displays the changelog as root, so if one is using less as their pager, they can get a root shell by using the ! command in less. If the changelog is displayed using an xterm, and gnome-terminal is the user's x-terminal-emulator, they can open another tab and get a root shell. If possible, switching to a non-privileged user prior to displaying the changelog, would prevent giving away full root access. regards Andrew -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.9-mppe Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Versions of packages apt-listchanges depends on: ii apt 0.5.28.6 Advanced front-end for dpkg ii debconf 1.4.51 Debian configuration management sy ii debianutils 2.14.1 Miscellaneous utilities specific t ii python 2.3.5-2 An interactive high-level object-o ii python-apt 0.5.10 Python interface to libapt-pkg ii ucf 1.18 Update Configuration File: preserv apt-listchanges recommends no packages. -- debconf information: * apt-listchanges/confirm: false * apt-listchanges/email-address: root * apt-listchanges/which: both * apt-listchanges/frontend: xterm-pager * apt-listchanges/save-seen: true -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]