Your message dated Tue, 26 May 2015 12:47:06 +0000
with message-id <[email protected]>
and subject line Bug#786858: fixed in python-dbusmock 0.11.4-1+deb8u1
has caused the Debian Bug report #786858,
regarding [CVE-2015-1326] python-dbusmock: arbitrary code execution or file
overwrite when templates are loaded from /tmp
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
786858: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786858
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python3-dbusmock
Version: 0.11.4-1
Tags: patch
Forwarding mail to security team as a bug, as Salvatore Bonaccorso
prefers handling this via a stable update.
Simon McVittie found a potentially exploitable bug with loading custom
dbusmock templates: When a user is tricked into loading a template
from a world-writable directory like /tmp, an attacker could run
arbitrary code with the user's privileges by putting a crafted .pyc
file into that directory.
Note that this is highly unlikely to actually appear in practice
as custom dbusmock templates are usually shipped in project
directories, not directly in world-writable directories. Hence we
decided to immediately make this bug public and don't aim for a
coordinated release date.
Original bug report with the details: https://launchpad.net/bugs/1453815
CVE-2015-1326
Upstream fix: https://github.com/martinpitt/python-dbusmock/commit/4e7d0df9093
(included in 0.15.1 upstream release)
unstable: fixed in 0.15.1-1 which I just uploaded
oldstable: not affected, python-dbusmock has only existed since jessie
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: python-dbusmock
Source-Version: 0.11.4-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
python-dbusmock, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Pitt <[email protected]> (supplier of updated python-dbusmock package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 26 May 2015 09:26:11 +0200
Source: python-dbusmock
Binary: python-dbusmock python3-dbusmock
Architecture: source all
Version: 0.11.4-1+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Debian Python Modules Team
<[email protected]>
Changed-By: Martin Pitt <[email protected]>
Description:
python-dbusmock - mock D-Bus objects for tests (Python 2)
python3-dbusmock - mock D-Bus objects for tests (Python 3)
Closes: 786858
Changes:
python-dbusmock (0.11.4-1+deb8u1) stable; urgency=medium
.
* SECURITY FIX: When loading a template from an arbitrary file through the
AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template()
Python method, don't create or use Python's *.pyc cached files. By
tricking a user into loading a template from a world-writable directory
like /tmp, an attacker could run arbitrary code with the user's
privileges by putting a crafted .pyc file into that directory.
.
Note that this is highly unlikely to actually appear in practice as custom
dbusmock templates are usually shipped in project directories, not
directly in world-writable directories.
(Closes: #786858, LP: #1453815, CVE-2015-1326)
* Add debian/gbp.conf for "jessie" packaging branch.
Checksums-Sha1:
7de862771bec9c5e23d53869f2ee5a216dffc9bb 2337
python-dbusmock_0.11.4-1+deb8u1.dsc
f615f92079732115e93e036e92ccfaf8fd85c255 4848
python-dbusmock_0.11.4-1+deb8u1.debian.tar.xz
2000b9b4b729406c58bf61589312975c12c5d9bd 50640
python-dbusmock_0.11.4-1+deb8u1_all.deb
4d269541a8a63a1c2c8c873d1f33a552554bd851 50724
python3-dbusmock_0.11.4-1+deb8u1_all.deb
Checksums-Sha256:
69dbdcbbe777136a208416ce0e80525e7d85a3393d1db4c2ab1ad2a6354c9825 2337
python-dbusmock_0.11.4-1+deb8u1.dsc
15501a7e6431ec845c7e6228d15fd02f1d099cb099b4d9f1f5ad9259e82395d3 4848
python-dbusmock_0.11.4-1+deb8u1.debian.tar.xz
f749e66164fb8e3b35807ff0e2f310c3cb7652c0e102c9690e20f4f114088cd4 50640
python-dbusmock_0.11.4-1+deb8u1_all.deb
5f9324cde0215cf7ffb1378f2fa0e7b0191aee84b0bd718e0416adf7e369168d 50724
python3-dbusmock_0.11.4-1+deb8u1_all.deb
Files:
c8575beed820af756f41ffdc489c8e1c 2337 python optional
python-dbusmock_0.11.4-1+deb8u1.dsc
b06c616b80a7706f7edb0c669e8bdf0c 4848 python optional
python-dbusmock_0.11.4-1+deb8u1.debian.tar.xz
0f485ffd45d2b8ca993036c62cd861a2 50640 python optional
python-dbusmock_0.11.4-1+deb8u1_all.deb
1afd23add0adeee0b389667fa0ee221e 50724 python optional
python3-dbusmock_0.11.4-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVZCDEAAoJENFO8V2v4RNHRCYP/3W5Wh4gnaephXQ7gZxvhDU4
BLzgU7m5IX39qxwLetlenimUmjO1hdCSBjh6ggg4xb4QT8sAcK5xsPMssMRmZOXC
dbnz64gFoz89Z8p89Z3twqSQhuO890K3UXWYfLCrOsoHYCzcR2HXsP2MRylDrSv0
UTPq0SvulCWKC3oXE+PP790eGEWKpELCKEWMBpbDvfrrUOVtA9idhBO01C9Cyu6k
wJlVx5CGEGC093hsOktguNHqa3dChye3pBRnVg0mEEdIGQmAtr1/+QVc7iNH02B0
x0jE67XTo+/EKYnblXsMVOpj+tsjeTR8j2FOY1cO7YEEKcCVhnd+IrOIaAP8ZJK/
J1rE3xBLSJnFfxtMhICA0AlNRlwAXeyvS1PWWDbaVoGXNGW/TPWIANOHSITE2LM6
hZtHFmCm9RhQJxC6hF6AYBoyS9Vd4n7OVKXAE40lPy/CrSbhYbm17XSq+KpUlYIa
HKrmCgmK3cDDLKnqtejwPS4hPdHrmba/9m4KQ4iJpCtb4InWH8pHLHXlS0wnjT9R
RD1hM9xqT/Wv4BOKPTpjmw4ggQ5RmVIRRELWjjm+vnkT90lVY/vvNPOO5IHQBj1o
31fimoCu0wFil6MHDrjKTxRqR4Q2abreH3ECbtwFhvn3JAhXiAINYXrceQ3/KRvR
Nywpg1p09e1T1X7217jK
=/vh6
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
