From d67c6ee3d6b3067d8697ee5e4a131af906789583 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <dvlasenk@redhat.com>
Date: Thu, 10 Mar 2011 10:03:19 +0100
Subject: abrt-action-install-debuginfo: prevent $PATH attack

Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
---
 src/plugins/abrt-action-install-debuginfo.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'src/plugins')

diff --git a/src/plugins/abrt-action-install-debuginfo.c b/src/plugins/abrt-action-install-debuginfo.c
index 39915e59..77cd370b 100644
--- a/src/plugins/abrt-action-install-debuginfo.c
+++ b/src/plugins/abrt-action-install-debuginfo.c
@@ -1,7 +1,8 @@
 #include <unistd.h>
 #include <string.h>
 
-#define EXECUTABLE "abrt-action-install-debuginfo.py"
+// TODO: honor configure --prefix here:
+#define EXECUTABLE "/usr/bin/abrt-action-install-debuginfo.py"
 
 static void error_msg_and_die(const char *msg, const char *arg)
 {
@@ -38,6 +39,10 @@ int main(int argc, char **argv)
             error_msg_and_die("bad option", arg);
     }
 
-    execvp(EXECUTABLE, argv);
+    /* We use full path, and execv instead of execvp in order to
+     * disallow user to execute his own abrt-action-install-debuginfo.py
+     * in his dir by setting up corresponding malicious $PATH.
+     */
+    execv(EXECUTABLE, argv);
     error_msg_and_die("Can't execute", EXECUTABLE);
 }
-- 
cgit