[tor-bugs] #6715 [Tor Sysadmin Team]: Please install python-tk on getulum
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Aug 28 16:39:02 UTC 2012
#6715: Please install python-tk on getulum
-------------------------------+--------------------------------------------
Reporter: kaner | Owner:
Type: task | Status: new
Priority: normal | Milestone:
Component: Tor Sysadmin Team | Version:
Keywords: | Parent:
Points: | Actualpoints:
-------------------------------+--------------------------------------------
Comment(by rransom):
Replying to [comment:3 kaner]:
> The reason for installing this package on a torproject.org machine is
the PlotStat.py script that is needed to plot GetTor statistics. Question
to you: Why do you ask what the reason to install the package is? Is the
package dangerous?
Tk contains a code-exec backdoor (the `send` command) available to anyone
who can connect to the X display that it is using. Python-Tk does not
attempt to close this backdoor.
On a desktop system, this is not significantly worse than the ability to
inject mouse and keyboard events to e.g. GNOME Panel and the Run
Application dialog box. On a server, either (a) Tk would be a security
risk (by allowing anyone who can connect to an X display on the server to
run arbitrary code with the privileges of the PlotStat.py process) or (b)
Tk would not work (because there is no X display).
Also, your script does not actually require python-tk. See
[ticket:4342#comment:31] for how to configure MatPlotLib properly.
> If so, we should inform the Debian Project.
I would assume that they already know. For example, they ship the TkCon
program which uses the `send` command to implement a debugging tool.
Other packages in Debian (e.g. PLplot) rely on `send`.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6715#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list