[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
Support for this version has ended ** Changed in: python2.4 (Ubuntu) Status: Confirmed = Invalid ** Changed in: python2.5 (Ubuntu) Status: Confirmed = Invalid -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. https://bugs.launchpad.net/bugs/322196 Title: Untrusted search path vulnerability in Python and multiple other programs To manage notifications about this bug go to: https://bugs.launchpad.net/gedit/+bug/322196/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
csound was fixed in 1:5.08.2~dfsg-1.1ubuntu2. ** Changed in: csound (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. https://bugs.launchpad.net/bugs/322196 Title: Untrusted search path vulnerability in Python and multiple other programs -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
This was fixed in 0.96.1-7.1. ** Changed in: dia (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. https://bugs.launchpad.net/bugs/322196 Title: Untrusted search path vulnerability in Python and multiple other programs -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
eog was fixed in 2.24.1-0ubuntu1. ** Changed in: eog (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. https://bugs.launchpad.net/bugs/322196 Title: Untrusted search path vulnerability in Python and multiple other programs -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
epiphany-browser was fixed in 2.24.1-0ubuntu1. ** Changed in: epiphany-browser (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. https://bugs.launchpad.net/bugs/322196 Title: Untrusted search path vulnerability in Python and multiple other programs -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
nautilus-python was fixed in 0.6.1-1 ** Changed in: nautilus-python (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. https://bugs.launchpad.net/bugs/322196 Title: Untrusted search path vulnerability in Python and multiple other programs -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
vim was fixed in 2:7.2.079-1ubuntu5 ** Changed in: vim (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. https://bugs.launchpad.net/bugs/322196 Title: Untrusted search path vulnerability in Python and multiple other programs -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
python2.6 was fixed in 2.6.6-5ubuntu1. ** Changed in: python2.6 (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. https://bugs.launchpad.net/bugs/322196 Title: Untrusted search path vulnerability in Python and multiple other programs -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
** Changed in: gedit Importance: Unknown = Medium -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
** Changed in: gedit Status: New = Fix Released -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
ACK on the hardy update. Updated package was uploaded to hardy-security. Thanks for the debdiff. ** Changed in: xchat (Ubuntu) Status: Confirmed = Fix Committed -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
This bug was fixed in the package xchat - 2.8.4-0ubuntu7.1 --- xchat (2.8.4-0ubuntu7.1) hardy-security; urgency=low * SECURITY UPDATE (LP: #322196) * debian/patches/64_CVE-2009-0315.dpatch: - Fix untrusted search path vulnerability in the Python module in xchat allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory - CVE-2009-0315 -- Artur Rona ari-tc...@tlen.pl Tue, 01 Jun 2010 21:27:28 +0200 ** Changed in: xchat (Ubuntu) Status: Fix Committed = Fix Released -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
** Branch linked: lp:ubuntu/hardy-security/xchat -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
** Also affects: python via http://bugs.python.org/issue5753 Importance: Unknown Status: Unknown -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
** Changed in: python Status: Unknown = Fix Released -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
** Branch linked: lp:~ari-tczew/ubuntu/hardy/xchat/CVE-2009-0315 -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
** Description changed: There's an interesting bug (or feature?) in Python 2.6 and earlier that affects multiple applications using Python. The bug allows local or user-assisted remote arbitrary code execution. Here is the description of the Python CVE: Untrusted search path vulnerability in the PySys_SetArgv API function in Python before 2.6 prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory. (Python 2.6 is vulnerable, too. See the comments.) Affected packages are, at least: - CVE-2008-4863 - Blender (already fixed in Ubuntu, I think) + CVE-2008-4863 - Blender (already fixed in Ubuntu, I think) CVE-2008-5983 - Python CVE-2008-5984 - Dia CVE-2008-5985 - Epiphany CVE-2008-5986 - Csound CVE-2008-5987 - eog CVE-2009-0314 - gedit CVE-2009-0315 - xchat CVE-2009-0316 - vim CVE-2009-0317 - Nautilus CVE-2009-0318 - Gnumeric I'm not sure which versions of these packages and which Ubuntu releases are actually affected, though. Source and more information: oss-security thread at http://www.openwall.com/lists/oss-security/2009/01/28/2 + http://www.openwall.com/lists/oss-security/2009/01/26/2 -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
Note that a workaround to this python bug was committed to Gnumeric upstream a long time ago (2009-01-29) and so this vulnerability is not in gnumeric anymore since release 1.9.4. ** Changed in: gnumeric (Ubuntu) Status: Confirmed = Fix Released -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
** Branch linked: lp:ubuntu/gedit -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
** Changed in: epiphany-browser (Ubuntu) Importance: Undecided = Low -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
This bug was fixed in the package gedit - 2.26.0-0ubuntu3 --- gedit (2.26.0-0ubuntu3) jaunty; urgency=low * debian/patches/91_correct_path_use.patch: - CVE-2009-0314, don't use an untrusted python path when loading (lp: #322196) -- Sebastien Bacher seb...@ubuntu.com Wed, 08 Apr 2009 13:19:13 +0200 ** Changed in: gedit (Ubuntu) Status: Triaged = Fix Released -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
** Also affects: python2.6 (Ubuntu) Importance: Undecided Status: New ** Changed in: python2.6 (Ubuntu) Importance: Undecided = Low ** Changed in: python2.6 (Ubuntu) Status: New = Confirmed ** Changed in: python2.3 (Ubuntu) Status: Confirmed = Won't Fix -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
** Changed in: gedit Status: Unknown = New -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
** Changed in: gedit (Ubuntu) Assignee: (unassigned) = Ubuntu Desktop Bugs (desktop-bugs) Status: Confirmed = Triaged ** Bug watch added: GNOME Bug Tracker #569214 http://bugzilla.gnome.org/show_bug.cgi?id=569214 ** Also affects: gedit via http://bugzilla.gnome.org/show_bug.cgi?id=569214 Importance: Unknown Status: Unknown -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
According to these links (provided by Jan Lieskovsky in the thread referenced above), Python 2.6 is affected as well. http://www.openwall.com/lists/oss-security/2009/01/28/5 https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1 ** Description changed: - Binary package hint: python2.5 - - There's an interesting bug (or feature?) in Python 2.5 and earlier that + There's an interesting bug (or feature?) in Python 2.6 and earlier that affects multiple applications using Python. The bug allows local or user-assisted remote arbitrary code execution. Here is the description of the Python CVE: Untrusted search path vulnerability in the PySys_SetArgv API function in Python before 2.6 prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory. + + (Python 2.6 is vulnerable, too. See the comments.) Affected packages are, at least: CVE-2008-4863 - Blender (already fixed in Ubuntu, I think) CVE-2008-5983 - Python CVE-2008-5984 - Dia CVE-2008-5985 - Epiphany CVE-2008-5986 - Csound CVE-2008-5987 - eog CVE-2009-0314 - gedit CVE-2009-0315 - xchat CVE-2009-0316 - vim CVE-2009-0317 - Nautilus CVE-2009-0318 - Gnumeric I'm not sure which versions of these packages and which Ubuntu releases are actually affected, though. Source and more information: oss-security thread at http://www.openwall.com/lists/oss-security/2009/01/28/2 -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to eog in ubuntu. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
** Changed in: csound (Ubuntu) Status: New = Confirmed ** Changed in: csound (Ubuntu) Importance: Undecided = Low ** Changed in: dia (Ubuntu) Status: New = Confirmed ** Changed in: dia (Ubuntu) Importance: Undecided = Low ** Changed in: eog (Ubuntu) Status: New = Confirmed ** Changed in: eog (Ubuntu) Importance: Undecided = Low ** Changed in: gedit (Ubuntu) Status: New = Confirmed ** Changed in: gedit (Ubuntu) Importance: Undecided = Low ** Changed in: gnumeric (Ubuntu) Status: New = Confirmed ** Changed in: gnumeric (Ubuntu) Importance: Undecided = Low ** Changed in: nautilus (Ubuntu) Status: New = Confirmed ** Changed in: nautilus (Ubuntu) Importance: Undecided = Low ** Changed in: python2.4 (Ubuntu) Status: New = Confirmed ** Changed in: python2.4 (Ubuntu) Importance: Undecided = Low ** Changed in: python2.5 (Ubuntu) Status: New = Confirmed ** Changed in: python2.5 (Ubuntu) Importance: Undecided = Low ** Changed in: xchat (Ubuntu) Status: New = Confirmed ** Changed in: xchat (Ubuntu) Importance: Undecided = Low ** Changed in: vim (Ubuntu) Status: New = Confirmed ** Changed in: vim (Ubuntu) Importance: Undecided = Low -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to eog in ubuntu. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
** Changed in: epiphany (Ubuntu) Status: New = Invalid ** Also affects: epiphany-browser (Ubuntu) Importance: Undecided Status: New ** Also affects: python2.3 (Ubuntu) Importance: Undecided Status: New ** Changed in: epiphany-browser (Ubuntu) Status: New = Confirmed ** Changed in: python2.3 (Ubuntu) Status: New = Confirmed ** Changed in: nautilus-python (Ubuntu) Sourcepackagename: nautilus = nautilus-python -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to eog in ubuntu. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 322196] Re: Untrusted search path vulnerability in Python and multiple other programs
Adding CVE references: CVE-2008-5983, CVE-2008-5984, CVE-2008-5985, CVE-2008-5986, CVE-2008-5987, CVE-2009-0314, CVE-2009-0315, CVE-2009-0316, CVE-2009-0317, CVE-2009-0318 ** Also affects: python2.4 (Ubuntu) Importance: Undecided Status: New ** Also affects: dia (Ubuntu) Importance: Undecided Status: New ** Also affects: epiphany (Ubuntu) Importance: Undecided Status: New ** Also affects: csound (Ubuntu) Importance: Undecided Status: New ** Also affects: eog (Ubuntu) Importance: Undecided Status: New ** Also affects: gedit (Ubuntu) Importance: Undecided Status: New ** Also affects: xchat (Ubuntu) Importance: Undecided Status: New ** Also affects: vim (Ubuntu) Importance: Undecided Status: New ** Also affects: nautilus (Ubuntu) Importance: Undecided Status: New ** Also affects: gnumeric (Ubuntu) Importance: Undecided Status: New -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to eog in ubuntu. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs