Bug#513419: nautilus-python: CVE-2009-0317 untrusted search path vulnerability
Nico Golde n...@debian.org (28/01/2009): Package: nautilus-python Severity: grave Tags: security patch I've just sponsored the package Evgeni has prepared without having it through the usual “Intent to NMU” way for the following reasons: - security RC bugs patch available; - no NACK for the proposed patch during the past days; - previous NMU was ACKed in advance, so I guess it won't be a big deal; - tight release schedule. Please find attached the final source debdiff. Mraw, KiBi. diff -u nautilus-python-0.4.3/debian/changelog nautilus-python-0.4.3/debian/changelog --- nautilus-python-0.4.3/debian/changelog +++ nautilus-python-0.4.3/debian/changelog @@ -1,3 +1,13 @@ +nautilus-python (0.4.3-3.2) unstable; urgency=high + + * Non-maintainer upload. + * Fix CVE-2009-0317: untrusted search path vulnerability. ++ Added patch: 50_CVE-2009-0317.patch ++ Closes: #513419 + * Urgency high for fixing a security RC bug. + + -- Evgeni Golov sarge...@die-welt.net Sun, 01 Feb 2009 23:34:17 +0100 + nautilus-python (0.4.3-3.1) unstable; urgency=low * Non-maintainer upload, ACKed by maintainer. only in patch2: unchanged: --- nautilus-python-0.4.3.orig/debian/patches/50_CVE-2009-0317.patch +++ nautilus-python-0.4.3/debian/patches/50_CVE-2009-0317.patch @@ -0,0 +1,10 @@ +--- a/src/nautilus-python.c 2006-02-15 22:25:20.0 +0100 b/src/nautilus-python.c 2009-01-29 09:46:13.0 +0100 +@@ -134,6 +134,7 @@ + + Py_Initialize(); + PySys_SetArgv(1, argv); ++ PyRun_SimpleString(import sys; sys.path = filter(None, sys.path)); + + /* pygtk.require(2.0) */ + pygtk = PyImport_ImportModule(pygtk); signature.asc Description: Digital signature
Bug#513419: nautilus-python: CVE-2009-0317 untrusted search path vulnerability
Hey *, On Wed, 28 Jan 2009 23:12:16 +0100 Nico Golde wrote: CVE-2009-0317[0]: | Untrusted search path vulnerability in the Python language bindings | for Nautilus (nautilus-python) allows local users to execute arbitrary | code via a Trojan horse Python file in the current working directory, | related to a vulnerability in the PySys_SetArgv function | (CVE-2008-5983). To fix this you need to patch src/nautilus-python.c in the same way as http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=CVE-2009-0318.patch;att=1;bug=513418 should be sufficient. Attached is a patch against current version of nautilus-python in testing/unstable that fixes the issue. I also attach a patch against 0.5.0 in experimental, but this one is untested. Regards Evgeni -- Bruce Schneier Fact Number 37: Bruce Schneier's public and private keys are known as Law and Order. --- nautilus-python-0.5.0/src/nautilus-python.c 2008-01-11 12:26:55.0 +0100 +++ nautilus-python-0.5.0/src/nautilus-python.c.new 2009-01-29 10:16:13.0 +0100 @@ -223,6 +223,8 @@ return FALSE; } + PyRun_SimpleString(import sys; sys.path = filter(None, sys.path)); + /* pygtk.require(2.0) */ debug(pygtk.require(\2.0\)); pygtk = PyImport_ImportModule(pygtk); diff -u nautilus-python-0.4.3/debian/changelog nautilus-python-0.4.3/debian/changelog --- nautilus-python-0.4.3/debian/changelog +++ nautilus-python-0.4.3/debian/changelog @@ -1,3 +1,11 @@ +nautilus-python (0.4.3-3.2) unstable; urgency=high + + * Non-maintainer upload. + * Fix CVE-2009-0317: untrusted search path vulnerability. +Closes: #513419 + + -- Evgeni Golov sarge...@die-welt.net Thu, 29 Jan 2009 09:47:39 +0100 + nautilus-python (0.4.3-3.1) unstable; urgency=low * Non-maintainer upload, ACKed by maintainer. only in patch2: unchanged: --- nautilus-python-0.4.3.orig/debian/patches/50_CVE-2009-0317_untrusted_search_path_vulnerability.patch +++ nautilus-python-0.4.3/debian/patches/50_CVE-2009-0317_untrusted_search_path_vulnerability.patch @@ -0,0 +1,10 @@ +--- a/src/nautilus-python.c 2006-02-15 22:25:20.0 +0100 b/src/nautilus-python.c 2009-01-29 09:46:13.0 +0100 +@@ -134,6 +134,7 @@ + + Py_Initialize(); + PySys_SetArgv(1, argv); ++ PyRun_SimpleString(import sys; sys.path = filter(None, sys.path)); + + /* pygtk.require(2.0) */ + pygtk = PyImport_ImportModule(pygtk); pgpouDXgezVHA.pgp Description: PGP signature
Bug#513419: nautilus-python: CVE-2009-0317 untrusted search path vulnerability
Package: nautilus-python Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities Exposures) id was published for nautilus-python. CVE-2009-0317[0]: | Untrusted search path vulnerability in the Python language bindings | for Nautilus (nautilus-python) allows local users to execute arbitrary | code via a Trojan horse Python file in the current working directory, | related to a vulnerability in the PySys_SetArgv function | (CVE-2008-5983). To fix this you need to patch src/nautilus-python.c in the same way as http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=CVE-2009-0318.patch;att=1;bug=513418 should be sufficient. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0317 http://security-tracker.debian.net/tracker/CVE-2009-0317 -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgp3R92s6oXNW.pgp Description: PGP signature