Your message dated Sun, 28 Jun 2015 19:04:37 +0000
with message-id <[email protected]>
and subject line Bug#790365: fixed in pycode-browser 1:1.0-1
has caused the Debian Bug report #790365,
regarding pycode-browser: CVE-2015-0849: predictable temporary file
vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
790365: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790365
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: pycode-browser
Version: 20120614+git+b041dd2-8
Severity: normal
Tags: security
pycode-browser has a predictable temporary file vulnerability.
When following the below steps, it uses the predictable
temporary file /tmp/pycode-0007-0007.py and will overwrite its contents.
You can reproduce this with the attached script by running
"./test-pycode-browser pycode-browser" and following the steps.
* Launch pycode-browser (with or without the script).
* Open one of the test programs.
* Modify it in some way.
* Do not save the file.
* Click the Execute button.
The program will write the contents to the temporary file. Upon
exiting, the script will report that the program is vulnerable. The
vulnerability is ameliorated by fs.protected_symlinks, but systems
running without that enabled are vulnerable to a symlink attack.
The Debian Security Team has allocated CVE-2015-0849 to this
vulnerability. I sent an email to upstream but have received no
response, so I'm filing this bug. No DSA will be issued for this
vulnerability.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_US.UTF-8, LC_CTYPE=es_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
#!/bin/sh
# test-pycode-browser: set up temporary file vuln testing
#
# Usage: test-pycode-browser pycode-browser
TEMPDIR=`mktemp -d`
[ -n "$TEMPDIR" ] || exit 1
printf '%d exploit test\n' $$ > "$TEMPDIR/exploit"
sha384sum "$TEMPDIR/exploit" > "$TEMPDIR/hash"
ln -s "$TEMPDIR/exploit" "/tmp/pycode-0007-0007.py"
"$@"
if sha384sum -c "$TEMPDIR/hash" >/dev/null 2>&1
then
printf "Program is not vulnerable.\n"
else
printf "Program is VULNERABLE!\n"
fi
rm -r -- "$TEMPDIR"
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: pycode-browser
Source-Version: 1:1.0-1
We believe that the bug you reported is fixed in the latest version of
pycode-browser, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Georges Khaznadar <[email protected]> (supplier of updated pycode-browser
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 28 Jun 2015 19:50:38 +0200
Source: pycode-browser
Binary: pycode-browser
Architecture: source all
Version: 1:1.0-1
Distribution: unstable
Urgency: medium
Maintainer: Georges Khaznadar <[email protected]>
Changed-By: Georges Khaznadar <[email protected]>
Description:
pycode-browser - environment to teach with Python code snippets
Closes: 790189 790365
Changes:
pycode-browser (1:1.0-1) unstable; urgency=medium
.
* created a file d/watch to take git tags in account
* upgraded to the newest upstream version. Changed dependencies.
Closes: #790189. Closes: #790365
* fixed d/copyright for a few lintian warnings
Checksums-Sha1:
358fdf2c58a2a92d9de2c0fe665c95b0c6d1d731 1890 pycode-browser_1.0-1.dsc
5ad90869d8a97a1b17dade9b712f90def0d6dc41 3815876 pycode-browser_1.0.orig.tar.xz
f3acd3b764da2012b09157fd21283313c7d672f0 5872
pycode-browser_1.0-1.debian.tar.xz
8e18402f881b92178c599573dd41f1e434ee13d9 3874544 pycode-browser_1.0-1_all.deb
Checksums-Sha256:
0e319f1300eb0fcc890bbf0b4a6b792157abf8e350f37f9a665ec86b5df933e5 1890
pycode-browser_1.0-1.dsc
8ca89f1544bb7dfee0b82870fcbdd4539b80a1e85fe936a64c017f8fdaeacdee 3815876
pycode-browser_1.0.orig.tar.xz
be95bcc527af8547158d561676f11cfb64ed4654adaa805966ebff37189367ab 5872
pycode-browser_1.0-1.debian.tar.xz
f1aeaf20f47c2311b6dfadc623c63b96aff5de71d323d9a70ad7e84a9ec8f738 3874544
pycode-browser_1.0-1_all.deb
Files:
1cd109f875a4cd761f69c6febc7e22db 1890 education extra pycode-browser_1.0-1.dsc
f0bd078c3808ca213dbc015e5c42746c 3815876 education extra
pycode-browser_1.0.orig.tar.xz
a8572fb413784ff589eee71868249909 5872 education extra
pycode-browser_1.0-1.debian.tar.xz
de916898bac7004f7241810f53bfb848 3874544 education extra
pycode-browser_1.0-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBVZBAxRwoFpBxNq45AQikzxAAl1biCE89fuvyUA5M5CdSmC1eH0kQHa5c
J7JvpVPdfyz+sQ/2gJWFPoyxICrXrYJrH3B2sBI2QLze1XeeUTimHS3qRNUwuVI5
CwldxJpUa/xEemB34RZGbs/h3WTqMOJxNKhN9olmHfpaIWB4T+5e1ONCCeIIjyOf
3FZa86QnMGLALh5/jiMGv/85D82Oil5sW3srLjd5pSnYxvpzwo6KoF8bPJ8nVkKi
vpJ0avsj/VPx989YSCkV3IdlQiyribp0byjxYWdn2wJY163a8nGUOqtPlz3dvX0a
qC2uMyDpOpG79suP/AztslrRg0L+0a5ToxWXA1jqASeAq31Rm4/o01pNPJVlqpvZ
8Ws15TxnWwyn6E9q2mWcjWIb1I6N5enXLQdoEVHVjirxYw5nSgZDnk++bJhksk/d
b3RJecP/4Mx6hpQXTaKZIWUWiA3Q0gUhncsG9BoHrsR/kK7vLD3S7DQuk9WoVO+G
hxl95H3xB374Awqh5mKQoOUQfQSsfCIbZOLeUFuTj7EdkC45GNncgTaVkOKbyl8p
v1uu8+qlqTomOchR+kEPPCenISYHFB7VpeGhENWc3iirg4Rlagb/M4hFZfcAzBx/
2FOYbsPhq5e1bFbPRvy3Hv8umfWPrNzoxLa4H1RBOWiBYSUk68prLS85GYNfDKPT
/emdQxmFO58=
=nbPe
-----END PGP SIGNATURE-----
--- End Message ---
