Your message dated Tue, 26 May 2015 09:28:09 +0200 with message-id <[email protected]> and subject line Re: Bug#786858: Acknowledgement ([CVE-2015-1326] python-dbusmock: arbitrary code execution or file overwrite when templates are loaded from /tmp) has caused the Debian Bug report #786858, regarding [CVE-2015-1326] python-dbusmock: arbitrary code execution or file overwrite when templates are loaded from /tmp to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 786858: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786858 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: python3-dbusmock Version: 0.11.4-1 Tags: patch Forwarding mail to security team as a bug, as Salvatore Bonaccorso prefers handling this via a stable update. Simon McVittie found a potentially exploitable bug with loading custom dbusmock templates: When a user is tricked into loading a template from a world-writable directory like /tmp, an attacker could run arbitrary code with the user's privileges by putting a crafted .pyc file into that directory. Note that this is highly unlikely to actually appear in practice as custom dbusmock templates are usually shipped in project directories, not directly in world-writable directories. Hence we decided to immediately make this bug public and don't aim for a coordinated release date. Original bug report with the details: https://launchpad.net/bugs/1453815 CVE-2015-1326 Upstream fix: https://github.com/martinpitt/python-dbusmock/commit/4e7d0df9093 (included in 0.15.1 upstream release) unstable: fixed in 0.15.1-1 which I just uploaded oldstable: not affected, python-dbusmock has only existed since jessie -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Version: 0.15.1-1 This was fixed in unstable/testing in python-dbusmock (0.15.1-1) unstable; urgency=medium . * New upstream release. - SECURITY FIX: When loading a template from an arbitrary file through the AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() Python method, don't create or use Python's *.pyc cached files. By tricking a user into loading a template from a world-writable directory like /tmp, an attacker could run arbitrary code with the user's privileges by putting a crafted .pyc file into that directory. . Note that this is highly unlikely to actually appear in practice as custom dbusmock templates are usually shipped in project directories, not directly in world-writable directories. (LP: #1453815, CVE-2015-1326) The stable upload will also add this Debian bug reference. Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
--- End Message ---
_______________________________________________ Python-modules-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
