Bug ID 1127138
Summary YaST runs programs with wrong absolute path
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware All
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component YaST2
Assignee yast2-maintainers@suse.de
Reporter mvidner@suse.com
QA Contact jsrain@suse.com
Found By ---
Blocker ---

In a recent security hardening (bsc#1118291) we changed an invocation of
  system "mkdir #{dir}"
to
  system "/usr/sbin/mkdir #{dir.shellescape}"
which is wrong because the correct path is /usr/bin/mkdir.

Finding this particular problem has prompted us to look for similar bugs, be
they introduced by wrongly absolutizing program paths or by programs changing
their location.

I have found:

yast/yast-nfs-client/src/modules/Nfs.rb:563 "/usr/sbin/rpcinfo"
yast/yast-yast2/library/network/src/modules/NetworkPopup.rb:198
is /sbin/rpcinfo

yast/yast-users/src/modules/UsersRoutines.pm:49 "/usr/sbin/cryptconfig"
removed in 15.0,
https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.0/

yast/yast-bootloader/src/lib/bootloader/boot_record_backup.rb:39
"/usr/sbin/mkdir"
is /usr/bin/mkdir

yast/yast-packager/src/include/checkmedia/ui.rb:542 "/bin/eject"
is /usr/bin/eject

yast/yast-yast2/library/general/src/scrconf/run_ifconfig.scr:49
"/sbin/ifconfig"
is /usr/bin/ifconfig in net-tools-deprecated
used by yast/yast-instserver/src/modules/Instserver.rb:673


You are receiving this mail because: