Bug#504359: marked as done (csound: Python scripts load modules from current directory)
Your message dated Wed, 19 Nov 2008 19:47:05 + with message-id [EMAIL PROTECTED] and subject line Bug#504359: fixed in csound 1:5.08.2~dfsg-1.1 has caused the Debian Bug report #504359, regarding csound: Python scripts load modules from current directory to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 504359: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504359 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems ---BeginMessage--- Package: csound Version: 1:5.08.2~dfsg-1 Severity: grave Tags: security patch Justification: user security hole Usertags: pythonpath csound's python interface calls PySys_SetArgv with an argv[0] that doesn't resolve to a filename. This causes Python to prepend sys.path with an empty string which, due to the use of relative imports, allows the possibility to run arbitrary code on the user's system if a file in their working directory matches the name of a python module csound tries to import. This should be fixed by Python 2.6 as it uses absolute imports by default, but I have not been able to test it and this still needs a fix for packages built against/used with the currently supported versions of Python. -- James GPG Key: 1024D/61326D40 2003-09-02 James Vega [EMAIL PROTECTED] --- a/frontends/CsoundAC/Shell.cpp +++ b/frontends/CsoundAC/Shell.cpp @@ -211,6 +211,8 @@ namespace csound void Shell::main(int argc, char **argv) { PySys_SetArgv_(argc, argv); +/* Sanitize sys.path */ +PyRun_SimpleString_(import sys; sys.path = filter(None, sys.path)); } void Shell::initialize() --- a/frontends/CsoundVST/ScoreGeneratorVst.cpp +++ b/frontends/CsoundVST/ScoreGeneratorVst.cpp @@ -427,6 +427,8 @@ Shell::open(); char *argv[] = {,}; PySys_SetArgv(1, argv); + /* Sanitize sys.path */ + PyRun_SimpleString(import sys; sys.path = filter(None, sys.path)); PyObject *mainModule = PyImport_ImportModule(__main__); result = runScript(import sys\n); if(result) signature.asc Description: Digital signature ---End Message--- ---BeginMessage--- Source: csound Source-Version: 1:5.08.2~dfsg-1.1 We believe that the bug you reported is fixed in the latest version of csound, which is due to be installed in the Debian FTP archive: csladspa_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/csladspa_5.08.2~dfsg-1.1_amd64.deb csound-gui_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/csound-gui_5.08.2~dfsg-1.1_amd64.deb csound-utils_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/csound-utils_5.08.2~dfsg-1.1_amd64.deb csound_5.08.2~dfsg-1.1.diff.gz to pool/main/c/csound/csound_5.08.2~dfsg-1.1.diff.gz csound_5.08.2~dfsg-1.1.dsc to pool/main/c/csound/csound_5.08.2~dfsg-1.1.dsc csound_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/csound_5.08.2~dfsg-1.1_amd64.deb libcsnd-java_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/libcsnd-java_5.08.2~dfsg-1.1_amd64.deb libcsnd5.1_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/libcsnd5.1_5.08.2~dfsg-1.1_amd64.deb libcsound64-5.1_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/libcsound64-5.1_5.08.2~dfsg-1.1_amd64.deb libcsound64-dev_5.08.2~dfsg-1.1_all.deb to pool/main/c/csound/libcsound64-dev_5.08.2~dfsg-1.1_all.deb libcsound64-doc_5.08.2~dfsg-1.1_all.deb to pool/main/c/csound/libcsound64-doc_5.08.2~dfsg-1.1_all.deb libcsoundac5.1_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/libcsoundac5.1_5.08.2~dfsg-1.1_amd64.deb pd-csound_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/pd-csound_5.08.2~dfsg-1.1_amd64.deb python-csound_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/python-csound_5.08.2~dfsg-1.1_amd64.deb python-csoundac_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/python-csoundac_5.08.2~dfsg-1.1_amd64.deb tclcsound_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/tclcsound_5.08.2~dfsg-1.1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nico Golde [EMAIL PROTECTED] (supplier of updated csound package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Wed, 19 Nov 2008 20:20:13 +0100 Source: csound Binary: csound csound-gui csound-utils libcsound64-5.1 libcsnd-java libcsound64-dev pd-csound python-csound libcsnd5.1
Bug#504359: marked as done (csound: Python scripts load modules from current directory)
Your message dated Sun, 09 Nov 2008 10:47:05 + with message-id [EMAIL PROTECTED] and subject line Bug#504359: fixed in csound 1:5.08.0.dfsg2-8+lenny2 has caused the Debian Bug report #504359, regarding csound: Python scripts load modules from current directory to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 504359: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504359 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems ---BeginMessage--- Package: csound Version: 1:5.08.2~dfsg-1 Severity: grave Tags: security patch Justification: user security hole Usertags: pythonpath csound's python interface calls PySys_SetArgv with an argv[0] that doesn't resolve to a filename. This causes Python to prepend sys.path with an empty string which, due to the use of relative imports, allows the possibility to run arbitrary code on the user's system if a file in their working directory matches the name of a python module csound tries to import. This should be fixed by Python 2.6 as it uses absolute imports by default, but I have not been able to test it and this still needs a fix for packages built against/used with the currently supported versions of Python. -- James GPG Key: 1024D/61326D40 2003-09-02 James Vega [EMAIL PROTECTED] --- a/frontends/CsoundAC/Shell.cpp +++ b/frontends/CsoundAC/Shell.cpp @@ -211,6 +211,8 @@ namespace csound void Shell::main(int argc, char **argv) { PySys_SetArgv_(argc, argv); +/* Sanitize sys.path */ +PyRun_SimpleString_(import sys; sys.path = filter(None, sys.path)); } void Shell::initialize() --- a/frontends/CsoundVST/ScoreGeneratorVst.cpp +++ b/frontends/CsoundVST/ScoreGeneratorVst.cpp @@ -427,6 +427,8 @@ Shell::open(); char *argv[] = {,}; PySys_SetArgv(1, argv); + /* Sanitize sys.path */ + PyRun_SimpleString(import sys; sys.path = filter(None, sys.path)); PyObject *mainModule = PyImport_ImportModule(__main__); result = runScript(import sys\n); if(result) signature.asc Description: Digital signature ---End Message--- ---BeginMessage--- Source: csound Source-Version: 1:5.08.0.dfsg2-8+lenny2 We believe that the bug you reported is fixed in the latest version of csound, which is due to be installed in the Debian FTP archive: csladspa_5.08.0.dfsg2-8+lenny2_amd64.deb to pool/main/c/csound/csladspa_5.08.0.dfsg2-8+lenny2_amd64.deb csound-gui_5.08.0.dfsg2-8+lenny2_amd64.deb to pool/main/c/csound/csound-gui_5.08.0.dfsg2-8+lenny2_amd64.deb csound-utils_5.08.0.dfsg2-8+lenny2_amd64.deb to pool/main/c/csound/csound-utils_5.08.0.dfsg2-8+lenny2_amd64.deb csound_5.08.0.dfsg2-8+lenny2.diff.gz to pool/main/c/csound/csound_5.08.0.dfsg2-8+lenny2.diff.gz csound_5.08.0.dfsg2-8+lenny2.dsc to pool/main/c/csound/csound_5.08.0.dfsg2-8+lenny2.dsc csound_5.08.0.dfsg2-8+lenny2_amd64.deb to pool/main/c/csound/csound_5.08.0.dfsg2-8+lenny2_amd64.deb libcsnd-java_5.08.0.dfsg2-8+lenny2_amd64.deb to pool/main/c/csound/libcsnd-java_5.08.0.dfsg2-8+lenny2_amd64.deb libcsnd5.1_5.08.0.dfsg2-8+lenny2_amd64.deb to pool/main/c/csound/libcsnd5.1_5.08.0.dfsg2-8+lenny2_amd64.deb libcsound64-5.1_5.08.0.dfsg2-8+lenny2_amd64.deb to pool/main/c/csound/libcsound64-5.1_5.08.0.dfsg2-8+lenny2_amd64.deb libcsound64-dev_5.08.0.dfsg2-8+lenny2_all.deb to pool/main/c/csound/libcsound64-dev_5.08.0.dfsg2-8+lenny2_all.deb libcsound64-doc_5.08.0.dfsg2-8+lenny2_all.deb to pool/main/c/csound/libcsound64-doc_5.08.0.dfsg2-8+lenny2_all.deb libcsoundac5.1_5.08.0.dfsg2-8+lenny2_amd64.deb to pool/main/c/csound/libcsoundac5.1_5.08.0.dfsg2-8+lenny2_amd64.deb pd-csound_5.08.0.dfsg2-8+lenny2_amd64.deb to pool/main/c/csound/pd-csound_5.08.0.dfsg2-8+lenny2_amd64.deb python-csound_5.08.0.dfsg2-8+lenny2_amd64.deb to pool/main/c/csound/python-csound_5.08.0.dfsg2-8+lenny2_amd64.deb python-csoundac_5.08.0.dfsg2-8+lenny2_amd64.deb to pool/main/c/csound/python-csoundac_5.08.0.dfsg2-8+lenny2_amd64.deb tclcsound_5.08.0.dfsg2-8+lenny2_amd64.deb to pool/main/c/csound/tclcsound_5.08.0.dfsg2-8+lenny2_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonas Smedegaard [EMAIL PROTECTED] (supplier of updated csound package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED