Hi again, Am 07.03.21 um 23:08 schrieb Rene Engelhard: > Am 07.03.21 um 22:45 schrieb Milko Krachounov: >> After some additional testing, checking my environment and inspecting pyuno/ >> source/loader/pyuno_loader.cxx, I want to amend the report, particularly >> about >> 7.0.4 which is not affected (kind of). > > Interestingly, in discussion on #debian-devel it is said that it does :/ > > See below. [...]
OK, some more discussion sheds some more light on it and would explain it. From #debian-devel again: 23:10 < _jwilk> OK, I kinda reproduced in buster without setting PYTHONPATH myself. It doesn't crash for me, but it can't open the CSV file. 23:11 < _jwilk> I had to install libreoffice-lightproof-pt-br to trigger the bug. 23:13 < _jwilk> So, yay, mystery solved? 23:14 < _rene_> on sid? 23:14 < _rene_> ah, on buster. yes, probably. 23:15 < _rene_> but according to the submitter and the upstream bug it does not happen on 7.0.x 23:15 < _rene_> guess I need to fire up a buster vm 23:15 < _rene_> (and probably backport the upstream fix to buster. *sigh*) 23:16 < _rene_> yeah, libreoffice-lightproof-* is python. but I have libreoffice-lightproof-en installed, too 23:16 < bunk> libreoffice-lightproof-en makes it reproducible for me on buster 23:17 < _rene_> gah. even on my testing, indeed 23:17 < _rene_> no idea what I tested before, probably I didn't do PYTHONPATH=. 23:17 < _rene_> ok, so it boils down to 23:18 < _rene_> a) buster is affected without interaction (-> bad) 23:18 < _rene_> b) testing/sid is when setting PYTHONPATH=. (-> not ideal, but one shouldn't do so(tm)) 23:21 < _rene_> thus this is something one needs to fix for buster, for testing/sid it's "user error" 23:21 * _jwilk nods. 23:22 < bunk> I see some similarities between a) and https://security-tracker.debian.org/tracker/CVE-2016-1238 23:22 < _rene_> indeed @Salvatore: Want it done via DSA? Regards, Rene