Your message dated Fri, 15 Feb 2019 19:35:33 +0000 with message-id <[email protected]> and subject line Bug#921751: fixed in rdflib 4.2.2-2 has caused the Debian Bug report #921751, regarding python-rdflib-tools: CVE-2019-7653: Code injection from current working directory to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 921751: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921751 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: python-rdflib-tools Version: 4.2.2-1 Severity: normal Tags: security The CLI tools in python-rdflib-tools can from load python modules found in the current directory. This happens because "python -m" appends the current directory in the python path. $ echo 'print("Something")' > cgi.py $ rdf2dot INFO:rdflib:RDFLib Version: 4.2.2 Something Reading from stdin as None... The local cgi.py file is loaded instead of the system one. There are probably other instances of this in the Debian archive. Constructs such as: python -m "$some_module" python -c "$some_code" $some_command | python can lead to code injection from current working directory -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages python-rdflib-tools depends on: ii python 2.7.15-4 ii python-rdflib 4.2.2-1 python-rdflib-tools recommends no packages. python-rdflib-tools suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: rdflib Source-Version: 4.2.2-2 We believe that the bug you reported is fixed in the latest version of rdflib, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian M. Amsüss <[email protected]> (supplier of updated rdflib package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 15 Feb 2019 15:50:18 +0100 Source: rdflib Architecture: source Version: 4.2.2-2 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team <[email protected]> Changed-By: Christian M. Amsüss <[email protected]> Closes: 917913 921751 Changes: rdflib (4.2.2-2) unstable; urgency=medium . [ Ondřej Nový ] * d/control: Remove ancient X-Python(3)-Version fields * d/changelog: Remove trailing whitespaces . [ Christian Amsüss ] * tools: - Use easy_install provided scripts (CVE-2019-7653, closes: #921751) - Use Python 3 * d/control: - Update Standards-Version to 4.3.0 (no further changes) - Remove retired Olivier Berger from uploaders (closes: #917913) - Update salsa location * d/patches: Acknowledge that pyparsinglatest.patch is not required any more * Add bsddb3 and rdflib-jsonld to test dependencies - Disable broken tests for rdflib-jsonld at build time Checksums-Sha1: 50812e90e3bc74262b2771e4f36f4cced886cfb1 3084 rdflib_4.2.2-2.dsc b731f212c620c299add8eb14f70872659798c9ee 28760 rdflib_4.2.2-2.debian.tar.xz f79d0d8a9f129e493da141acf23328c4f78d71ec 8803 rdflib_4.2.2-2_amd64.buildinfo Checksums-Sha256: 9840ad126cc4387ba97051f2fa1713b301a8e57578aff59e30df52e524563f6f 3084 rdflib_4.2.2-2.dsc dfc2f37a9619976023361a64c717b62d920df956a7c1bc8eeb7ff94634f60c97 28760 rdflib_4.2.2-2.debian.tar.xz 3d54308530b6a0dd42deb84311dbf1ff49ad8fe8dd426b0dfc0604735e6f605b 8803 rdflib_4.2.2-2_amd64.buildinfo Files: c6291b837c791f34a89446395cb38d95 3084 python optional rdflib_4.2.2-2.dsc e1f291c8a981a71dbfd7b1a83c45d86e 28760 python optional rdflib_4.2.2-2.debian.tar.xz 67a4f90f45acce40dce2fb974f1dbbee 8803 python optional rdflib_4.2.2-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJCBAEBCgAsFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAlxnDfEOHHRpbGxlYUBy a2kuZGUACgkQV4oElNHGRtE8BQ/8Cu+1vYnVZGDPEcI8OES+Og11HzkGdGhqJLnY VopDA17D6wapUohnkBfqQt4X7ximoqEtRF6moZKcnruOa56xwCI7zIzTGTy6TV4N wVRnl56DWuOENFaGKNsR4Ikfl94Ij7eoRwb82cqmpsJbMiKY719sWkJqCuOjOYs+ +e47QryFcqXtvJIoCVOfptNR3RO4IPx21h2lqgIn1QH8k6mYQYxzx0aArPUAWZLM N7+nOEatsol6ah3VV/7pGX4sIRn+UCZnFeMzlLbiJQnr4n5f82bvy2VkdReMeTGh Ti9Um47Q+R76iGx0idAyYzPum8xSBbi9jcucp2KvZ+i90l3SEc9uJpYh43f08Prw wxVKjGMzmFoIwwTLDx5pi8cMYdfwXQKW3wuj6AIrss3HQEcUOwykL+TlutvqtLLf cEPB2VVoYDivWukzZj1iPI7Ppj42jcDyxK7LJ8FO2BEsbM1SDUP5u1hhXN/RN0+9 aHQ0pCMJmND4BEeHfUCWnXvN8PYmnWD9+rmB6CxTLhUwVzvlo0lsJLCLyLvxIS9Z eqalVud3E52LVh2nOlIx2O6iJKCe5+ebqkhL/pnTgmuHdYkXyGBqmwjGdbkS1EYU I0jmkXzSU+b29BpGc/Y/xrK59SnJU1taZzvPziaLTXE6uctun1jxyqGmZHqU5BPc ADEPH6Q= =q79+ -----END PGP SIGNATURE-----
--- End Message ---
