Secure testing team - Mar 2012 - Bug#663217: zenmap's sys.path includes /tmp locations

Package: zenmap
Version: 5.21-1.1
Severity: grave
Tags: security

the zenmap script modifies its sys.path to include
''/tmp/nmap-5.21/debian/tmp/usr/lib/python2.6/site-packages/'',
which is
inserted at build time from setyp.py.

as /tmp/nmap-5.21 is not present and therefore not protected on systems
where zenmap is deployed, any user can create python scripts there. when
another more privileged user (eg root, which zenmap recommends) runs
zenmap, it runs import statements not guaranteed to be present in
earlier places in the python path (eg hildon in zenmapCore/UmitConf.py),
thus executing foreign code.

example:

$ mkdir -p /tmp/nmap-5.21/debian/tmp/usr/lib/python2.6/site-packages/
$ echo "open(''/usr/fnord'', ''w''); raise
ImportError" >
/tmp/nmap-5.21/debian/tmp/usr/lib/python2.6/site-packages/hildon.py
$ sudo zenmap
(just exit again)
$ ls /usr/fnord
/usr/fnord

remedy:

remove the set_modules_path invocation from setup.py (zenmap built and
worked without that call on my machine). the issue should be forwarded
to upstream too, because while it will not be critical with typical
installations (which are built without the destdir/installdir
discrepancy present in debian), other distributions might face similar
problems, and the whole sys.path hackery is bad practice anyway imho.

creating a bug in the bts (as opposed to reporting only to the security
team) as suggested in the reply i received to my original message to
them.

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, ''unstable''), (1,
''experimental'')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages zenmap depends on:
ii  nmap              5.21-1.1
ii  python            2.7.2-10
ii  python-central    0.6.17
ii  python-gobject    3.1.0-2
ii  python-gtk2       2.24.0-3
ii  python-pysqlite2  2.6.3-2

Versions of packages zenmap recommends:
ii  gksu  2.0.2-6

zenmap suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20120309/bd88331f/attachment.pgp>