Debian Bug report logs - #309648
Cheetah loads arbitrary code from /tmp

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Cheetah loads arbitrary code from /tmp

Date: Wed, 18 May 2005 16:27:02 +0200

Package: cheetah
Severity: grave
Tags: security

Cheetah loads arbitrary module code from /tmp, see
http://sourceforge.net/mailarchive/forum.php?thread_id=7070332&forum_id=1542
for a detailed discussion. It's fixed in CVS and 0.9.17rc1,
but since Sarge is in freeze an upload with only the security
fix would surely be appreciated by the release managers.

Cheers,
         Moritz

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Message #10 received at 309648@bugs.debian.org (full text, mbox, reply):

From: Kenshi Muto <kmuto@debian.org>

To: 309648@bugs.debian.org

Subject: Re: Cheetah loads arbitrary code from /tmp

Date: Fri, 20 May 2005 20:24:36 +0900

[Message part 1 (text/plain, inline)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I checkouted CVS from upstream site and tried to get diff about this
security problem.

CHANGES said:
0.9.17-rc1 (May 12, 2005)
  - removed the use of temp files for handling imports with dynamic
    compilation. This removes a whole slew of issues, including a temp file
    security issue reported on the email list by Brian Bird. [TR]
  - fixed bug with handling of the searchList with dynamic inheritance, as
    reported by  Brian Bird. [TR]

Latter is outside of Sarge, former is target.

As my quick viewing, only src/Template.py is modified during -r1.115
to -r1.116 (attached).
I'm sorry but I couldn't understand python code well and I didn't
check other code modifing carefully.

It's better to ask upstream author what they changed.

Thanks,
- -- 
Kenshi Muto
kmuto@debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iEYEARECAAYFAkKNyMYACgkQQKW+7XLQPLFKxQCfQ3Nb1fgzR25H8RgHKzePR7LO
pvwAn3J17wA/Ch7q8MlHm04rqZTlzLC1
=DlBx
-----END PGP SIGNATURE-----

[r1.115-r1.116.patch (application/octet-stream, attachment)]

Message #17 received at 309648-close@bugs.debian.org (full text, mbox, reply):

From: Chad Walstrom <chewie@debian.org>

To: 309648-close@bugs.debian.org

Subject: Bug#309648: fixed in cheetah 0.9.16-1

Date: Sat, 21 May 2005 15:47:15 -0400

Source: cheetah
Source-Version: 0.9.16-1

We believe that the bug you reported is fixed in the latest version of
cheetah, which is due to be installed in the Debian FTP archive:

cheetah-common_0.9.16-1_all.deb
  to pool/main/c/cheetah/cheetah-common_0.9.16-1_all.deb
cheetah_0.9.16-1.diff.gz
  to pool/main/c/cheetah/cheetah_0.9.16-1.diff.gz
cheetah_0.9.16-1.dsc
  to pool/main/c/cheetah/cheetah_0.9.16-1.dsc
python-cheetah_0.9.16-1_all.deb
  to pool/main/c/cheetah/python-cheetah_0.9.16-1_all.deb
python2.2-cheetah_0.9.16-1_i386.deb
  to pool/main/c/cheetah/python2.2-cheetah_0.9.16-1_i386.deb
python2.3-cheetah_0.9.16-1_i386.deb
  to pool/main/c/cheetah/python2.3-cheetah_0.9.16-1_i386.deb
python2.4-cheetah_0.9.16-1_i386.deb
  to pool/main/c/cheetah/python2.4-cheetah_0.9.16-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 309648@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chad Walstrom <chewie@debian.org> (supplier of updated cheetah package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 21 May 2005 12:40:10 -0500
Source: cheetah
Binary: python2.3-cheetah cheetah-common python2.2-cheetah python-cheetah python2.4-cheetah
Architecture: source i386 all
Version: 0.9.16-1
Distribution: unstable
Urgency: high
Maintainer: Chad Walstrom <chewie@debian.org>
Changed-By: Chad Walstrom <chewie@debian.org>
Description: 
 cheetah-common - text-based template engine and Python code generator
 python-cheetah - text-based template engine and Python code generator
 python2.2-cheetah - text-based template engine and Python code generator
 python2.3-cheetah - text-based template engine and Python code generator
 python2.4-cheetah - text-based template engine and Python code generator
Closes: 309648
Changes: 
 cheetah (0.9.16-1) unstable; urgency=high
 .
   * debian/rules, debian/patches: Added simple-patchsys so we can
     apply security patches.
   * debian/patches/309648-tmpfix.patch: Kenshi Muto grabbed this one
     from the cheetahtemplate CVS.  Upstream rewrote how imports were
     handled, removing the need to use temp files and eliminating this
     security breech.  Closes: #309648
   * debian/control: Added version dependency for cdbs, required to support
     Python 2.4.
Files: 
 89b3f3a298f00614529fccfc7c5fe96d 722 text optional cheetah_0.9.16-1.dsc
 26427c4087e052c627ce226591d6e030 143466 text optional cheetah_0.9.16.orig.tar.gz
 4d482a1c228724564e06ae7747544232 9715 text optional cheetah_0.9.16-1.diff.gz
 b86d48c8b05d70a262c28d3f2983d64d 28690 text optional cheetah-common_0.9.16-1_all.deb
 fa1cc35d62c30b462ff1c41b70a32132 25356 text optional python-cheetah_0.9.16-1_all.deb
 5bbcd5f68d5c242433c5adb83e5aeca4 148280 text optional python2.2-cheetah_0.9.16-1_i386.deb
 6f01951dae27911411a58c731548b65a 148282 text optional python2.3-cheetah_0.9.16-1_i386.deb
 ac40b445899c88105478a39bd50b4ba8 148290 text optional python2.4-cheetah_0.9.16-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCj4MYDMcLGCBsWv0RAvgYAJ9Ab162yfmglsAklJ6CVs3oA5+gJACgy3Kc
rOzDuZHwVIC3FPdliumOh70=
=OIB9
-----END PGP SIGNATURE-----

Message #22 received at 309648@bugs.debian.org (full text, mbox, reply):

From: Stephane Bortzmeyer <bortzmeyer@nic.fr>

To: 309648@bugs.debian.org

Cc: 309648-submitter@bugs.debian.org

Subject: Should we reopen the bug?

Date: Mon, 23 May 2005 09:17:33 +0200

#309648 appears as fixed while the bug is still in sarge. sarge being
frozen, the bug does *not* appear as RC
(http://bugs.debian.org/release-critical/debian/all.html).

I believe we should reopen the bug (with its current tags, including
"sarge").

Message #34 received at 309648@bugs.debian.org (full text, mbox, reply):

From: Chad Walstrom <chewie@wookimus.net>

To: bortzmeyer@nic.fr, control@bugs.debian.org

Cc: 309648@bugs.debian.org, 309648-submitter@bugs.debian.org

Subject: Re: Bug#309648: Should we reopen the bug?

Date: Mon, 23 May 2005 09:38:27 -0500

reopen 309648 =
thanks

Absolutely.  It should be reopened for sarge.  I should not have put
the "Closed:" line in the changelog.

-- 
Chad Walstrom <chewie@wookimus.net>           http://www.wookimus.net/
           assert(expired(knowledge)); /* core dump */

Send a report that this bug log contains spam.