On Wed, June 4, 2008 14:27, Thomas Arendsen Hein wrote: > I encountered this bug in the real world: I extracted a tarball > which contained a file named token.py, then I wanted to report a problem > and therefore started reportbug. > > This tarball did not contain harmful code, but as I did not verify > it before (because I did not intend to execute parts of it), it could have > been harmful. > > And of course there is /tmp as mentioned by Nico Golde.
That it can happen by accident does not mean that it is easy to explicitly exploit. I still believe that those chances are small enough to not consider an update to stable (needs local malicious user, needs victim user to run reportbug in exactly the right dir, and only then provides access to "just" the user account). If the maintainer wants to provide an update through a stable point update that is of course fine. Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
