Your message dated Sat, 3 Nov 2018 13:26:27 +0100
with message-id <20181103122626.GA7258@crossbow>
and subject line Re: Bug#856818: [vim-youcompleteme] JediHTTP grants to
unauthorized users modification of settings and code execution on behalf of the
vim user
has caused the Debian Bug report #856818,
regarding [vim-youcompleteme] JediHTTP grants to unauthorized users
modification of settings and code execution on behalf of the vim user
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
856818: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856818
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: vim-youcompleteme
Version: 0+20140207+git18be5c2-2
Severity: normal
Tags: security
X-Debbugs-CC: [email protected]
This version (0+20140207+git18be5c2-2) of JediHTTP
(/usr/lib/vim-youcompleteme/ycm/server/) does not include the HMAC
mechanism. Each vim instance starts a HTTP proxy to Jedi to which
anybody on localhost can connect via TCP. Tested with Python files with
youcompleteme enabled.
For example one can run the following command as another user (httpie
for ease):
$ http -v POST 127.0.0.1:${port}/user_options @/tmp/default_settings.json
/tmp/default_settings.json based on
/usr/lib/vim-youcompleteme/ycm/server/default_settings.json.
You can change min_num_of_chars_for_completion to quickly prove that
settings have been updated.
One can also run arbitrary commands on behalf of the user. Just set
global_ycm_extra_conf to a path to a Python file and wait for the user
to exit vim.
--- System information. ---
Architecture: amd64
Kernel: Linux 3.16.0-4-amd64
Debian Release: 8.7
500 stable security.debian.org
500 stable ftp.pl.debian.org
500 oldstable ftp.pl.debian.org
50 testing security.debian.org
50 testing ftp.pl.debian.org
100 jessie-backports ftp.pl.debian.org
--- Package information. ---
Package's Depends field is empty.
Package's Recommends field is empty.
Package's Suggests field is empty.
--
Marcin Szewczyk
http://wodny.org
--- End Message ---
--- Begin Message ---
Version: 0+20150616+gitbc5f581-1
Hi Marcin Szewczyk,
On Sun, Mar 05, 2017 at 03:32:26AM +0100, Marcin Szewczyk wrote:
> This version (0+20140207+git18be5c2-2) of JediHTTP
> (/usr/lib/vim-youcompleteme/ycm/server/) does not include the HMAC
> mechanism. Each vim instance starts a HTTP proxy to Jedi to which
> anybody on localhost can connect via TCP. Tested with Python files with
> youcompleteme enabled.
Thanks for this report even if there wasn't all to much action upon it!
I am not the maintainer either (see #912690), but I am trying to do some
"autumn-cleanup" and agree with Salvatore:
> AFAICT, the HMAC mechanism has been introduced in
> upstream/0+20150327+git9bfdb98, and then later on ycmd was splited
> afterwards to a separate project.
As such there is only oldstable affected – and the fix would be "just"
backporting the new upstream release… which isn't all to easy or even
acceptable from the (LTS) security team point of view so all we could
really do is remove the package from the archive…
In the most recent upstream releases the JediHTTP is abolished
completely btw.
I am a bit reluctant to close "open" security bugs, but I don't think
that at this point in time there is much to do (and for oldstable the
reports remains open due to version tracking) about this – I am
therefore closing as "done" as it arguably is for newer versions.
I hope you can agree with this, but feel free to speak up if not!
Best regards
David Kalnischkies
signature.asc
Description: PGP signature
--- End Message ---