[Popcon-developers] Bug#414644: popularity-contest: HOME=/tmp is not a good idea

[Robert Luberda]

Package: popularity-contest
Version: 1.40
Severity: important
Tags: security, patch

Hi,

The popularity-contest's weekly cron job sets HOME to /tmp before
generating the popularity raport. By doing that it tries to avoid dpkg
failures on unreadable /root/.dpkg.cfg file. 
However /tmp is world-writeable, so any user can create /tmp/.dpkg.cfg 
and make it unreadable for others thus causing dpkg to generate 
"failed to open config file" warning.  

Patch:
- set HOME to e.g. /nonexistent 
or
- don't pass the `-p' option to su


Best Regards,
robert

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: LANG=pl_PL, LC_CTYPE=pl_PL (charmap=ISO-8859-2)

Versions of packages popularity-contest depends on:
ii  debconf [debconf-2.0]         1.5.13     Debian configuration management sy
ii  dpkg                          1.13.25    package maintenance system for Deb

Versions of packages popularity-contest recommends:
ii  cron                          3.0pl1-100 management of regular background p
pn  mime-construct                <none>     (no description available)
ii  postfix [mail-transport-agent 2.3.8-1    A high-performance mail transport 

-- debconf information:
  popularity-contest/submiturls:
* popularity-contest/participate: true
  popularity-contest/hostid-failed:
* popularity-contest/use-http: false