Bug#748667: python-vtk6: bogus RPATH
Source: python-vtk6 Version: 6.1.0+dfsg-2 Severity: grave Tags: security /usr/bin/pvtk, /usr/bin/vtk6python and /usr/bin/pvtkpython all have RPATH set to: /usr/lib/jvm/default-java/jre/lib/amd64/xawt:/usr/lib/jvm/default-java/jre/lib/amd64/server:/tmp/buildd/vtk6-6.1.0+dfsg/debian/build/lib: (Note that neither /usr/lib/jvm/default-java/jre/lib/amd64/xawt nor /usr/lib/jvm/default-java/jre/lib/amd64/server exists in a minimal environment with only python-vtk6 installed.) Malicious local user can exploit this RPATH to execute arbitrary code, by placing a crafted library in /tmp/buildd/vtk6-6.1.0+dfsg/debian/build/lib. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (990, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.13-1-amd64 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages python-vtk6 depends on: ii libc6 2.18-4 ii libgcc11:4.9.0-4 ii libopenmpi1.6 1.6.5-8 ii libpython2.7 2.7.6-8 ii libstdc++6 4.9.0-4 ii libtcl8.6 8.6.1-6 ii libtk8.6 8.6.1-5 ii libvtk66.1.0+dfsg-2 ii python 2.7.5-5 pn python:any none python-vtk6 recommends no packages. Versions of packages python-vtk6 suggests: pn mayavi2none pn vtk6-doc none pn vtk6-examples none -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#748667: python-vtk6: bogus RPATH
Control: found -1 6.0.0-7 On 2014-05-19 14:31:12, Jakub Wilk wrote: Source: python-vtk6 Version: 6.1.0+dfsg-2 Severity: grave Tags: security /usr/bin/pvtk, /usr/bin/vtk6python and /usr/bin/pvtkpython all have RPATH set to: /usr/lib/jvm/default-java/jre/lib/amd64/xawt:/usr/lib/jvm/default-java/jre/lib/amd64/server:/tmp/buildd/vtk6-6.1.0+dfsg/debian/build/lib: This issue is also present in the current version found in jessie. The last path differs and is /tmp/buildd/vtk6-6.0.0/debian/build/lib instead. Adjusting the version information accordingly. Cheers -- Sebastian Ramacher signature.asc Description: Digital signature
Bug#748667: python-vtk6: bogus RPATH
Thanks for pointing that out. Are there any recommendations how to fix it properly? Anton 2014-05-19 14:57 GMT+02:00 Sebastian Ramacher sramac...@debian.org: Control: found -1 6.0.0-7 On 2014-05-19 14:31:12, Jakub Wilk wrote: Source: python-vtk6 Version: 6.1.0+dfsg-2 Severity: grave Tags: security /usr/bin/pvtk, /usr/bin/vtk6python and /usr/bin/pvtkpython all have RPATH set to: /usr/lib/jvm/default-java/jre/lib/amd64/xawt:/usr/lib/jvm/default-java/jre/lib/amd64/server:/tmp/buildd/vtk6-6.1.0+dfsg/debian/build/lib: This issue is also present in the current version found in jessie. The last path differs and is /tmp/buildd/vtk6-6.0.0/debian/build/lib instead. Adjusting the version information accordingly. Cheers -- Sebastian Ramacher -- debian-science-maintainers mailing list debian-science-maintain...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/debian-science-maintainers -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org