[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
This bug was fixed in the package python2.7 - 2.7.12-1ubuntu0~16.04.3 --- python2.7 (2.7.12-1ubuntu0~16.04.3) xenial-proposed; urgency=medium * Some performance improvements: LP: #1638695. - Build the _math.o object file without -fPIC for static builds. * Rename md5_* functions to _Py_md5_*. Closes: #868366. LP: #1734109. * Explicitly use the system python for byte compilation in postinst scripts. LP: #1682934. * Fix issue #22636: Avoid shell injection problems with ctypes.util.find_library(). LP: #1512068. -- Matthias KloseMon, 04 Dec 2017 15:50:18 +0100 ** Changed in: python2.7 (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
exploits don't work anymore in the proposed python2.7 update to xenial. ** Tags removed: verification-needed verification-needed-xenial ** Tags added: verification-done verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
Hello Bernd, or anyone else affected, Accepted python2.7 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python2.7/2.7.12-1ubuntu0~16.04.3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: python2.7 (Ubuntu Xenial) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
** Changed in: python2.7 (Ubuntu Xenial) Assignee: (unassigned) => Brian Morton (rokclimb15) ** Changed in: python2.7 (Ubuntu) Assignee: Brian Morton (rokclimb15) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
fixed in zesty and newer releases ** Also affects: python2.7 (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: python2.7 (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
Attached is a debdiff for trusty. If someone could please review and provide feedback, I'll produce additional ones for precise, xenial, yakkety, and zesty ** Patch added: "Debdiff of modified upstream patch for trusty" https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+attachment/4791357/+files/python2.7_2.7.6-8ubuntu0.4.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
** Changed in: python2.7 (Ubuntu) Assignee: (unassigned) => Brian Morton (rokclimb15) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
** Changed in: python2.7 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
** Changed in: python Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
** Changed in: python Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
** Also affects: python via http://bugs.python.org/issue22636 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
** Changed in: python2.7 (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
upstream only fixed this in 3.5 which we do carry, but not other release series. It's not that "ubuntu diddn't pick up the fix", it's the upstream that didn't apply in all applicable release series. commented on your bug report. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
Seens the bug is already known and fixed since 2014 but found not its way to ubuntu repos. http://bugs.python.org/issue22636 ** Information type changed from Private Security to Public Security ** Bug watch added: Python Roundup #22636 http://bugs.python.org/issue22636 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
The attachment "Patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
marking as security. ** Information type changed from Public to Private Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs