Bug#504359: marked as done (csound: Python scripts load modules from current directory)
Your message dated Wed, 19 Nov 2008 19:47:05 +
with message-id [EMAIL PROTECTED]
and subject line Bug#504359: fixed in csound 1:5.08.2~dfsg-1.1
has caused the Debian Bug report #504359,
regarding csound: Python scripts load modules from current directory
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
504359: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504359
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
---BeginMessage---
Package: csound
Version: 1:5.08.2~dfsg-1
Severity: grave
Tags: security patch
Justification: user security hole
Usertags: pythonpath
csound's python interface calls PySys_SetArgv with an argv[0] that
doesn't resolve to a filename. This causes Python to prepend sys.path
with an empty string which, due to the use of relative imports, allows
the possibility to run arbitrary code on the user's system if a file in
their working directory matches the name of a python module csound tries
to import.
This should be fixed by Python 2.6 as it uses absolute imports by
default, but I have not been able to test it and this still needs a fix
for packages built against/used with the currently supported versions of
Python.
--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega [EMAIL PROTECTED]
--- a/frontends/CsoundAC/Shell.cpp
+++ b/frontends/CsoundAC/Shell.cpp
@@ -211,6 +211,8 @@ namespace csound
void Shell::main(int argc, char **argv)
{
PySys_SetArgv_(argc, argv);
+/* Sanitize sys.path */
+PyRun_SimpleString_(import sys; sys.path = filter(None, sys.path));
}
void Shell::initialize()
--- a/frontends/CsoundVST/ScoreGeneratorVst.cpp
+++ b/frontends/CsoundVST/ScoreGeneratorVst.cpp
@@ -427,6 +427,8 @@
Shell::open();
char *argv[] = {,};
PySys_SetArgv(1, argv);
+ /* Sanitize sys.path */
+ PyRun_SimpleString(import sys; sys.path = filter(None, sys.path));
PyObject *mainModule = PyImport_ImportModule(__main__);
result = runScript(import sys\n);
if(result)
signature.asc
Description: Digital signature
---End Message---
---BeginMessage---
Source: csound
Source-Version: 1:5.08.2~dfsg-1.1
We believe that the bug you reported is fixed in the latest version of
csound, which is due to be installed in the Debian FTP archive:
csladspa_5.08.2~dfsg-1.1_amd64.deb
to pool/main/c/csound/csladspa_5.08.2~dfsg-1.1_amd64.deb
csound-gui_5.08.2~dfsg-1.1_amd64.deb
to pool/main/c/csound/csound-gui_5.08.2~dfsg-1.1_amd64.deb
csound-utils_5.08.2~dfsg-1.1_amd64.deb
to pool/main/c/csound/csound-utils_5.08.2~dfsg-1.1_amd64.deb
csound_5.08.2~dfsg-1.1.diff.gz
to pool/main/c/csound/csound_5.08.2~dfsg-1.1.diff.gz
csound_5.08.2~dfsg-1.1.dsc
to pool/main/c/csound/csound_5.08.2~dfsg-1.1.dsc
csound_5.08.2~dfsg-1.1_amd64.deb
to pool/main/c/csound/csound_5.08.2~dfsg-1.1_amd64.deb
libcsnd-java_5.08.2~dfsg-1.1_amd64.deb
to pool/main/c/csound/libcsnd-java_5.08.2~dfsg-1.1_amd64.deb
libcsnd5.1_5.08.2~dfsg-1.1_amd64.deb
to pool/main/c/csound/libcsnd5.1_5.08.2~dfsg-1.1_amd64.deb
libcsound64-5.1_5.08.2~dfsg-1.1_amd64.deb
to pool/main/c/csound/libcsound64-5.1_5.08.2~dfsg-1.1_amd64.deb
libcsound64-dev_5.08.2~dfsg-1.1_all.deb
to pool/main/c/csound/libcsound64-dev_5.08.2~dfsg-1.1_all.deb
libcsound64-doc_5.08.2~dfsg-1.1_all.deb
to pool/main/c/csound/libcsound64-doc_5.08.2~dfsg-1.1_all.deb
libcsoundac5.1_5.08.2~dfsg-1.1_amd64.deb
to pool/main/c/csound/libcsoundac5.1_5.08.2~dfsg-1.1_amd64.deb
pd-csound_5.08.2~dfsg-1.1_amd64.deb
to pool/main/c/csound/pd-csound_5.08.2~dfsg-1.1_amd64.deb
python-csound_5.08.2~dfsg-1.1_amd64.deb
to pool/main/c/csound/python-csound_5.08.2~dfsg-1.1_amd64.deb
python-csoundac_5.08.2~dfsg-1.1_amd64.deb
to pool/main/c/csound/python-csoundac_5.08.2~dfsg-1.1_amd64.deb
tclcsound_5.08.2~dfsg-1.1_amd64.deb
to pool/main/c/csound/tclcsound_5.08.2~dfsg-1.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde [EMAIL PROTECTED] (supplier of updated csound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Format: 1.8
Date: Wed, 19 Nov 2008 20:20:13 +0100
Source: csound
Binary: csound csound-gui csound-utils libcsound64-5.1 libcsnd-java
libcsound64-dev pd-csound python-csound libcsnd5.1
Bug#504359: marked as done (csound: Python scripts load modules from current directory)
Your message dated Sun, 09 Nov 2008 10:47:05 +
with message-id [EMAIL PROTECTED]
and subject line Bug#504359: fixed in csound 1:5.08.0.dfsg2-8+lenny2
has caused the Debian Bug report #504359,
regarding csound: Python scripts load modules from current directory
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
504359: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504359
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
---BeginMessage---
Package: csound
Version: 1:5.08.2~dfsg-1
Severity: grave
Tags: security patch
Justification: user security hole
Usertags: pythonpath
csound's python interface calls PySys_SetArgv with an argv[0] that
doesn't resolve to a filename. This causes Python to prepend sys.path
with an empty string which, due to the use of relative imports, allows
the possibility to run arbitrary code on the user's system if a file in
their working directory matches the name of a python module csound tries
to import.
This should be fixed by Python 2.6 as it uses absolute imports by
default, but I have not been able to test it and this still needs a fix
for packages built against/used with the currently supported versions of
Python.
--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega [EMAIL PROTECTED]
--- a/frontends/CsoundAC/Shell.cpp
+++ b/frontends/CsoundAC/Shell.cpp
@@ -211,6 +211,8 @@ namespace csound
void Shell::main(int argc, char **argv)
{
PySys_SetArgv_(argc, argv);
+/* Sanitize sys.path */
+PyRun_SimpleString_(import sys; sys.path = filter(None, sys.path));
}
void Shell::initialize()
--- a/frontends/CsoundVST/ScoreGeneratorVst.cpp
+++ b/frontends/CsoundVST/ScoreGeneratorVst.cpp
@@ -427,6 +427,8 @@
Shell::open();
char *argv[] = {,};
PySys_SetArgv(1, argv);
+ /* Sanitize sys.path */
+ PyRun_SimpleString(import sys; sys.path = filter(None, sys.path));
PyObject *mainModule = PyImport_ImportModule(__main__);
result = runScript(import sys\n);
if(result)
signature.asc
Description: Digital signature
---End Message---
---BeginMessage---
Source: csound
Source-Version: 1:5.08.0.dfsg2-8+lenny2
We believe that the bug you reported is fixed in the latest version of
csound, which is due to be installed in the Debian FTP archive:
csladspa_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/csladspa_5.08.0.dfsg2-8+lenny2_amd64.deb
csound-gui_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/csound-gui_5.08.0.dfsg2-8+lenny2_amd64.deb
csound-utils_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/csound-utils_5.08.0.dfsg2-8+lenny2_amd64.deb
csound_5.08.0.dfsg2-8+lenny2.diff.gz
to pool/main/c/csound/csound_5.08.0.dfsg2-8+lenny2.diff.gz
csound_5.08.0.dfsg2-8+lenny2.dsc
to pool/main/c/csound/csound_5.08.0.dfsg2-8+lenny2.dsc
csound_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/csound_5.08.0.dfsg2-8+lenny2_amd64.deb
libcsnd-java_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/libcsnd-java_5.08.0.dfsg2-8+lenny2_amd64.deb
libcsnd5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/libcsnd5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
libcsound64-5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/libcsound64-5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
libcsound64-dev_5.08.0.dfsg2-8+lenny2_all.deb
to pool/main/c/csound/libcsound64-dev_5.08.0.dfsg2-8+lenny2_all.deb
libcsound64-doc_5.08.0.dfsg2-8+lenny2_all.deb
to pool/main/c/csound/libcsound64-doc_5.08.0.dfsg2-8+lenny2_all.deb
libcsoundac5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/libcsoundac5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
pd-csound_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/pd-csound_5.08.0.dfsg2-8+lenny2_amd64.deb
python-csound_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/python-csound_5.08.0.dfsg2-8+lenny2_amd64.deb
python-csoundac_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/python-csoundac_5.08.0.dfsg2-8+lenny2_amd64.deb
tclcsound_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/tclcsound_5.08.0.dfsg2-8+lenny2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard [EMAIL PROTECTED] (supplier of updated csound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-BEGIN PGP SIGNED
