Merge branch 'master' of ssh://git.fedorahosted.org/git/abrt

3 files changed, 8 insertions, 3 deletions

diff --git a/src/plugins/Makefile.am b/src/plugins/Makefile.am
index 3c4b37cf..4548c67c 100644
--- a/src/plugins/Makefile.am
+++ b/src/plugins/Makefile.am
@@ -41,7 +41,7 @@ dist_pluginsconf_DATA = \
 eventsdir = $(EVENTS_DIR)
 
 dist_events_DATA = \
-    Bugzilla.xml
+    report_Bugzilla.xml
 
 eventsconfdir = $(EVENTS_CONF_DIR)
 
diff --git a/src/plugins/abrt-action-install-debuginfo.c b/src/plugins/abrt-action-install-debuginfo.c
index 39915e59..77cd370b 100644
--- a/src/plugins/abrt-action-install-debuginfo.c
+++ b/src/plugins/abrt-action-install-debuginfo.c
@@ -1,7 +1,8 @@
 #include <unistd.h>
 #include <string.h>
 
-#define EXECUTABLE "abrt-action-install-debuginfo.py"
+// TODO: honor configure --prefix here:
+#define EXECUTABLE "/usr/bin/abrt-action-install-debuginfo.py"
 
 static void error_msg_and_die(const char *msg, const char *arg)
 {
@@ -38,6 +39,10 @@ int main(int argc, char **argv)
             error_msg_and_die("bad option", arg);
     }
 
-    execvp(EXECUTABLE, argv);
+    /* We use full path, and execv instead of execvp in order to
+     * disallow user to execute his own abrt-action-install-debuginfo.py
+     * in his dir by setting up corresponding malicious $PATH.
+     */
+    execv(EXECUTABLE, argv);
     error_msg_and_die("Can't execute", EXECUTABLE);
 }
diff --git a/src/plugins/Bugzilla.xml b/src/plugins/report_Bugzilla.xml
index bc8e8ecb..bc8e8ecb 100644
--- a/src/plugins/Bugzilla.xml
+++ b/src/plugins/report_Bugzilla.xml