Source: python-vtk6
Version: 6.1.0+dfsg-2
Severity: grave
Tags: security
/usr/bin/pvtk, /usr/bin/vtk6python and /usr/bin/pvtkpython all have
RPATH set to:
/usr/lib/jvm/default-java/jre/lib/amd64/xawt:/usr/lib/jvm/default-java/jre/lib/amd64/server:/tmp/buildd/vtk6-6.1.0+dfsg/debian/build/lib:
(Note that neither /usr/lib/jvm/default-java/jre/lib/amd64/xawt nor
/usr/lib/jvm/default-java/jre/lib/amd64/server exists in a minimal
environment with only python-vtk6 installed.)
Malicious local user can exploit this RPATH to execute arbitrary code,
by placing a crafted library in
/tmp/buildd/vtk6-6.1.0+dfsg/debian/build/lib.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (990, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.13-1-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages python-vtk6 depends on:
ii libc6 2.18-4
ii libgcc1 1:4.9.0-4
ii libopenmpi1.6 1.6.5-8
ii libpython2.7 2.7.6-8
ii libstdc++6 4.9.0-4
ii libtcl8.6 8.6.1-6
ii libtk8.6 8.6.1-5
ii libvtk6 6.1.0+dfsg-2
ii python 2.7.5-5
pn python:any <none>
python-vtk6 recommends no packages.
Versions of packages python-vtk6 suggests:
pn mayavi2 <none>
pn vtk6-doc <none>
pn vtk6-examples <none>
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
