An insufficient environment sanitization flaw was found in the way 'abrt-action-install-debuginfo-to-abrt-cache' tool, performing installation of required debuginfo packages into ABRT's cache, of ABRT, an automatic bug detection and reporting tool, used the PYTHONPATH environment variable. A local attacker could provide a commonly used Python module with specially-crafted content in non-standard system location / path, which would lead into arbitrary Python code execution with privileges of the 'abrt' user, when the 'abrt-action-install-debuginfo-to-abrt-cache' tool was run from the parent directory of the folder, containing the malicious module. Issue found by: Miloslav Trmač of Red Hat
This issue affects the version of the abrt package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the abrt package, as shipped with Fedora release of 16 and 17.
Upstream patch: https://fedorahosted.org/abrt/changeset/b173d81b577953b96a282167c7eecd66bf111a4f
The preliminary embargo date for this issue has been set up to next Wednesday, 30-th January of 2013.
Acknowledgements: This issue was discovered by Miloslav Trmač of Red Hat.
Created abrt tracking bugs for this issue Affects: fedora-all [bug 906280]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0215 https://rhn.redhat.com/errata/RHSA-2013-0215.html