Your message dated Mon, 04 Sep 2023 15:05:55 +0000
with message-id <e1qdb9h-0078o9...@fasolo.debian.org>
and subject line Bug#1041429: fixed in restrictedpython 6.2-1
has caused the Debian Bug report #1041429,
regarding restrictedpython: CVE-2023-37271
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1041429: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041429
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: restrictedpython
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for restrictedpython.
CVE-2023-37271[0]:
| RestrictedPython is a tool that helps to define a subset of the
| Python language which allows users to provide a program input into a
| trusted environment. RestrictedPython does not check access to stack
| frames and their attributes. Stack frames are accessible within at
| least generators and generator expressions, which are allowed inside
| RestrictedPython. Prior to versions 6.1 and 5.3, an attacker with
| access to a RestrictedPython environment can write code that gets
| the current stack frame in a generator and then walk the stack all
| the way beyond the RestrictedPython invocation boundary, thus
| breaking out of the restricted sandbox and potentially allowing
| arbitrary code execution in the Python interpreter. All
| RestrictedPython deployments that allow untrusted users to write
| Python code in the RestrictedPython environment are at risk. In
| terms of Zope and Plone, this would mean deployments where the
| administrator allows untrusted users to create and/or edit objects
| of type `Script (Python)`, `DTML Method`, `DTML Document` or `Zope
| Page Template`. This is a non-default configuration and likely to be
| extremely rare. The problem has been fixed in versions 6.1 and 5.3.
https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-wqc8-x2pr-7jqh
https://github.com/zopefoundation/RestrictedPython/commit/c8eca66ae49081f0016d2e1f094c3d72095ef531
(master)
https://github.com/zopefoundation/RestrictedPython/commit/d8c5aa72c5d0ec8eceab635d93d6bc8321116002
(5.3)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-37271
https://www.cve.org/CVERecord?id=CVE-2023-37271
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: restrictedpython
Source-Version: 6.2-1
Done: Christoph Berg <m...@debian.org>
We believe that the bug you reported is fixed in the latest version of
restrictedpython, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1041...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Berg <m...@debian.org> (supplier of updated restrictedpython package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 04 Sep 2023 16:42:31 +0200
Source: restrictedpython
Architecture: source
Version: 6.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Christoph Berg <m...@debian.org>
Closes: 1041429
Changes:
restrictedpython (6.2-1) unstable; urgency=medium
.
[ Debian Janitor ]
* Bump debhelper from old 12 to 13.
.
[ Christoph Berg ]
* New upstream version 6.2. (Closes: #1041429, CVE-2023-37271)
* Enable build-time tests.
Checksums-Sha1:
4334b8225f7d1dd0d1af2d993952da68b127b1bd 2125 restrictedpython_6.2-1.dsc
722445adbd42c1ba193d30828e154f5cfbf28642 448893
restrictedpython_6.2.orig.tar.gz
9c4c165d7fc40b26a56c650243d53a7361270675 3924
restrictedpython_6.2-1.debian.tar.xz
Checksums-Sha256:
fb1519b2556e490e4b5c1a8e4cf25ca5353de9b958a33d9c16b20580c23b1a07 2125
restrictedpython_6.2-1.dsc
db73eb7e3b39650f0d21d10cc8dda9c0e2986e621c94b0c5de32fb0dee3a08af 448893
restrictedpython_6.2.orig.tar.gz
95633cdf3d278126aa13da97fd93cbea7aa6adce670a2ce1587a14e968af5d6b 3924
restrictedpython_6.2-1.debian.tar.xz
Files:
0ed6476b6f9cbdae4f8e8b3c9f584ebc 2125 python optional
restrictedpython_6.2-1.dsc
f4f2bd36d0c24145e262efd468405018 448893 python optional
restrictedpython_6.2.orig.tar.gz
613ea9d698f175b664a68cd629681f7c 3924 python optional
restrictedpython_6.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmT17f8ACgkQTFprqxLS
p665Fw/8DD9bZ2+E33hF3ko0Ql8Bwe3ya/r13IfCwuNNeK1F3LA36OdwHANgU5HJ
Ads5z725wBtWYJdEH/h0VuykygbMCSAMnAo6uhoSayALi5yGTKQpuw/+7Q71QgxR
WcAMahQI5DRSzOzphrjvZHeUwL8UhXU18i9jKF2xDnWWXMYwQGi2iDvcot/6VikO
ZEJgj/GrEfbanGlTFWyLnQJ9uVS5IHj2Z4GzW4hnJJmYHjnTP4ZcYnTjQQuBn23/
T4FKw5mEUt3QFB/efqIZK2gyap9mj99+DxPVmEAQrLcDpkSkznyL3l2VuPYwMv9I
hu3m1W4+BXD+ATMwIBwh7yZGdRGfir7aXW2s5VE2FE716nE7BRmSko6IDQurnLxB
+PcgrmsRK3KScubAK07yrWQLM1982HHogEkWXlFOExQe+q1W91xMGxnK01KI/z/X
9UcODjk7bnjeAaVkAbpkSKYNR+lFO/c6dkRERrBRd0+6i0irSTmrEBZrgt9XWpUW
Wx+hg+vADPJtmY9iUsG2FY/QkU219RsPOpvk2ziktHA4gqwThNTbY3XXJ0+ZZ1YX
otJjAOp5UHHR7hCfohpjTS9ZydbLAchzGhLJALZsyQ5ME4+AauVk8yS58GbG/BBS
uYKZSlFTnR/h0YOUZ0vUZ447/1LQjXY3qRCaziSOzq411bhhiTU=
=H0AE
-----END PGP SIGNATURE-----
--- End Message ---
