Your message dated Wed, 28 Nov 2018 17:51:01 +0000
with message-id <[email protected]>
and subject line Bug#909673: fixed in python2.7 2.7.15-5
has caused the Debian Bug report #909673,
regarding python2.7: CVE-2018-1000802
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
909673: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909673
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python2.7
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Control: fixed -1 2.7.9-2+deb8u2
Hi,
The following vulnerability was published for python2.7.
CVE-2018-1000802[0]:
| Python Software Foundation Python (CPython) version 2.7 contains a
| CWE-77: Improper Neutralization of Special Elements used in a Command
| ('Command Injection') vulnerability in shutil module (make_archive
| function) that can result in Denial of service, Information gain via
| injection of arbitrary files on the system or entire drive. This
| attack appear to be exploitable via Passage of unfiltered user input
| to the function. This vulnerability appears to have been fixed in
| after commit add531a1e55b0a739b0f42582f1c9747e5649ace.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802
Please adjust the affected versions in the BTS as needed.
==
The patches upstream are straightforward to apply and have been shipped
in Debian LTS (jessie):
https://github.com/python/cpython/pull/8985/commits/add531a1e55b0a739b0f42582f1c9747e5649ace
They are not part of a 2.7.x release just yet however but considering
the impact, I think it might be worth fixing before the upstream point
release.
A.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: python2.7
Source-Version: 2.7.15-5
We believe that the bug you reported is fixed in the latest version of
python2.7, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <[email protected]> (supplier of updated python2.7 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 28 Nov 2018 17:27:22 +0100
Source: python2.7
Binary: python2.7 libpython2.7-stdlib python2.7-minimal libpython2.7-minimal
libpython2.7 python2.7-examples python2.7-dev libpython2.7-dev
libpython2.7-testsuite idle-python2.7 python2.7-doc python2.7-dbg
libpython2.7-dbg
Architecture: source
Version: 2.7.15-5
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <[email protected]>
Changed-By: Matthias Klose <[email protected]>
Description:
idle-python2.7 - IDE for Python (v2.7) using Tkinter
libpython2.7 - Shared Python runtime library (version 2.7)
libpython2.7-dbg - Debug Build of the Python Interpreter (version 2.7)
libpython2.7-dev - Header files and a static library for Python (v2.7)
libpython2.7-minimal - Minimal subset of the Python language (version 2.7)
libpython2.7-stdlib - Interactive high-level object-oriented language
(standard library
libpython2.7-testsuite - Testsuite for the Python standard library (v2.7)
python2.7 - Interactive high-level object-oriented language (version 2.7)
python2.7-dbg - Debug Build of the Python Interpreter (version 2.7)
python2.7-dev - Header files and a static library for Python (v2.7)
python2.7-doc - Documentation for the high-level object-oriented language
Python
python2.7-examples - Examples for the Python language (v2.7)
python2.7-minimal - Minimal subset of the Python language (version 2.7)
Closes: 909673 912422
Changes:
python2.7 (2.7.15-5) unstable; urgency=medium
.
* Update to 20181127 from the 2.7 branch.
- Fix issue #20744, running an external 'zip' in shutil.make_archive().
CVE-2018-1000802. Closes: #909673.
* Cherrypick in-progress backports to 2.7 branch from 3.6 branch to fix
test_ssl assertions with openssl 1.1.1. Resolves autopkgtest failure
of the 2.7 with openssl 1.1.1 (Dimitri John Ledkov).
* Don't hard code location of netinet/in.h. Closes: #912422.
* Update VCS attributes.
Checksums-Sha1:
b921958addc378b2d0100a5332fc0f015088af24 3344 python2.7_2.7.15-5.dsc
60fdca15eeae8c2f3adb2f0912bc1225cbb1d1c6 565412 python2.7_2.7.15-5.diff.gz
05c2dfde1eb6c3bf6775fa5deb9840a9dc914188 9758
python2.7_2.7.15-5_source.buildinfo
Checksums-Sha256:
1e74da7fb9677381eed583dc7110773ec1065127ab7440ee0598346d065ca78f 3344
python2.7_2.7.15-5.dsc
87adee4eb59bff1b74806a870a55a8a09345a29c12a1499b10428152f1dff095 565412
python2.7_2.7.15-5.diff.gz
669bd4bab31542041eda5ef04acc5e98a53c6efae90cdfa3f8f26213bc1798c7 9758
python2.7_2.7.15-5_source.buildinfo
Files:
a3bdf4cbaa2bda2b533a0fef3d75fd0a 3344 python optional python2.7_2.7.15-5.dsc
d75374c65660cad871f17bf144d9205e 565412 python optional
python2.7_2.7.15-5.diff.gz
b3554f166263b9ae1ce402881167ea9d 9758 python optional
python2.7_2.7.15-5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAlv+zlMQHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9ZWdEADM0XgrHnOgw1nNc2Jr/XtMLsPTtnn1I0Mq
TL0ewLqb28qfpdnJyDNvyrPa/7313bpjNMqXjaJpsxeIifTDZeNsYA2RryvRIGNU
GFRLLKfFWV/eGc8o6FzFa6T5ErWphJzKueVc/l26RJwY/dzDu+84XMjG0IWNFU+p
3NYUHnLAhvHqiNLZrh1E53HL1ROQKEHWUDop4HxI5E9cKxl51rFs9gevd+zijv8A
m+scgOqRhCz/ENb++Y/Qs5X+EQUL2QXkrVa7S0HXB7cIRMtuPSkZ9SdIOmSPs/FH
3SrY0nsUwtdnQ3RNv+tMZ7Bf7eX44UEQ4jy31UxbJMRIm80DJ6Jm/0DMw1S/3na0
Oa55r0ic+cUNithYT6I7sO2SDpvwWFZStdI93elpOC+UeThAyXfH5lHwFdgJHTpt
OCOk5QuvfJk0N6eKMsy0OwjTFyixr2kUgho9J9snGgkVxBQSqwAVqu0jMgKVCK/z
YMQe5BWSklBFHzW7Zxe9EzvpYhbbYzHPZKGTznbIIZDVm8JRvzq32eLQHR13tKql
hOXyKHVZ9FUd0ZsXgWGT7UE6wdO7j4M5K+h6NW5HxNbiGqvlIjFKY12m3cx2xMDw
Xi5ad+pVjM7P/zSveYkh5jCjMe0Gsyobmcu64fwUjqKQ3fzZ46ZoTc3gHJN+X3qB
lJzG3lPjZQ==
=L++n
-----END PGP SIGNATURE-----
--- End Message ---