Package: python3-dbusmock Version: 0.11.4-1 Tags: patch Forwarding mail to security team as a bug, as Salvatore Bonaccorso prefers handling this via a stable update.
Simon McVittie found a potentially exploitable bug with loading custom dbusmock templates: When a user is tricked into loading a template from a world-writable directory like /tmp, an attacker could run arbitrary code with the user's privileges by putting a crafted .pyc file into that directory. Note that this is highly unlikely to actually appear in practice as custom dbusmock templates are usually shipped in project directories, not directly in world-writable directories. Hence we decided to immediately make this bug public and don't aim for a coordinated release date. Original bug report with the details: https://launchpad.net/bugs/1453815 CVE-2015-1326 Upstream fix: https://github.com/martinpitt/python-dbusmock/commit/4e7d0df9093 (included in 0.15.1 upstream release) unstable: fixed in 0.15.1-1 which I just uploaded oldstable: not affected, python-dbusmock has only existed since jessie -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
signature.asc
Description: Digital signature
_______________________________________________ Python-modules-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
