Debian Bug report logs - #326976
py2play security vulnerability

version graph

Package: py2play; Maintainer for py2play is (unknown);

Reported by: Arc <arc@Xiph.org>

Date: Tue, 6 Sep 2005 23:03:03 UTC

Severity: important

Tags: security

Found in version py2play/0.1.7-1

Fixed in version py2play/0.1.8-1

Done: Marc Dequènes (Duck) <Duck@DuckCorp.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#326976; Package py2play. (full text, mbox, link).


Acknowledgement sent to Arc <arc@Xiph.org>:
New Bug report received and forwarded. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Arc <arc@Xiph.org>
To: submit@bugs.debian.org
Cc: Marc Dequnes <Duck@DuckCorp.org>
Subject: py2play security vulnerability
Date: Tue, 6 Sep 2005 15:47:15 -0700
Package: py2play
Version: 0.1.7-1

py2play uses Python pickle for sharing Soya objects (or other classes) 
over a P2P network.  Pickle objects, when unpickled, contain both data 
and code.  A malicious user on a game's P2P net can send custom classes 
to fellow players in order to gain access to their systems or execute 
malicious commands.  

There is no fix to this, this flaw is at py2play's core.  The maintainer 
of this package has been aware of this security flaw for some time and 
has not only ignored it, but replaced it with a new module called "tofu" 
which has the same vulnerability.

At a minimum, users of this Python module need to be aware of this.

-- 

Diversity is the Fuel of Evolution, 
 Conformity it's Starvation.
Be Radical.  Be New.  Be Different. 
Feed Evolution with Everything You Are.



Information forwarded to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#326976; Package py2play. (full text, mbox, link).


Acknowledgement sent to Martin Pitt <martin.pitt@canonical.com>:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>. (full text, mbox, link).


Message #10 received at 326976@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <martin.pitt@canonical.com>
To: 326976@bugs.debian.org
Subject: CAN number
Date: Tue, 20 Sep 2005 08:38:44 +0200
[Message part 1 (text/plain, inline)]
Hi!

This is CAN-2005-2875. If you fix this, please mention this number in
the changelog.

However, since this seems to be intrinsically hard to fix (apart from
completely changing the data format), it may be advisable to remove
this package from testing.

Gentoo's security advisory consisted of the removal from the ebuilds.

Thanks,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#326976; Package py2play. (full text, mbox, link).


Acknowledgement sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #15 received at 326976@bugs.debian.org (full text, mbox, reply):

From: Marc Dequènes (Duck) <Duck@DuckCorp.org>
To: Martin Pitt <martin.pitt@canonical.com>
Cc: 326976@bugs.debian.org
Subject: Re: Bug#326976: CAN number
Date: Tue, 20 Sep 2005 16:17:56 +0200
[Message part 1 (text/plain, inline)]
Coin,

Martin Pitt <martin.pitt@canonical.com> writes:

> This is CAN-2005-2875. If you fix this, please mention this number in
> the changelog.

Thanks.

> However, since this seems to be intrinsically hard to fix (apart from
> completely changing the data format), it may be advisable to remove
> this package from testing.
>
> Gentoo's security advisory consisted of the removal from the ebuilds.

Gentoo is not a reference...

I asked the author who made a quick fix disabling network mode. Both
py2play and soya are soon to be uploaded. py2play is still necessary
because it manages the game's main loop and a real dependency removal
would have taken much more time. Cleanups later...

py2play is 1.0.7 on all distribs, so it's ok, 1.0.8 only fixes this
security problem and can be pushed to sarge. I'm asking for a patch for
slune 1.0.7 for sarge.

Stay tuned and please do not yet remove packages.

-- 
Marc Dequènes (Duck)
[Message part 2 (application/pgp-signature, inline)]

Severity set to `important'. Request was from Marc Dequènes (Duck) <Duck@DuckCorp.org> to control@bugs.debian.org. (full text, mbox, link).


Tags added: security, pending Request was from Marc Dequènes (Duck) <Duck@DuckCorp.org> to control@bugs.debian.org. (full text, mbox, link).


Reply sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Arc <arc@Xiph.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #24 received at 326976-close@bugs.debian.org (full text, mbox, reply):

From: Marc Dequènes (Duck) <Duck@DuckCorp.org>
To: 326976-close@bugs.debian.org
Subject: Bug#326976: fixed in py2play 0.1.8-1
Date: Wed, 21 Sep 2005 16:32:11 -0700
Source: py2play
Source-Version: 0.1.8-1

We believe that the bug you reported is fixed in the latest version of
py2play, which is due to be installed in the Debian FTP archive:

py2play_0.1.8-1.diff.gz
  to pool/main/p/py2play/py2play_0.1.8-1.diff.gz
py2play_0.1.8-1.dsc
  to pool/main/p/py2play/py2play_0.1.8-1.dsc
py2play_0.1.8.orig.tar.gz
  to pool/main/p/py2play/py2play_0.1.8.orig.tar.gz
python-2play_0.1.8-1_all.deb
  to pool/main/p/py2play/python-2play_0.1.8-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 326976@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marc Dequènes (Duck) <Duck@DuckCorp.org> (supplier of updated py2play package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 21 Sep 2005 22:57:42 +0200
Source: py2play
Binary: python-2play
Architecture: source all
Version: 0.1.8-1
Distribution: unstable
Urgency: high
Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Changed-By: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Description: 
 python-2play - peer-to-peer network game engine
Closes: 326976
Changes: 
 py2play (0.1.8-1) unstable; urgency=high
 .
   * Security fix (network mode disabled)(CAN-2005-2875)
     (Closes: #326976).
   * Fix FSF address in 'debian/copyright'.
Files: 
 33a793afd4f6dc95a236af7a17737d7a 608 python optional py2play_0.1.8-1.dsc
 2d82c0ffbe48094e6027de898fc6a554 21515 python optional py2play_0.1.8.orig.tar.gz
 5aa45164d19ba44d22094eb23c803d2b 2088 python optional py2play_0.1.8-1.diff.gz
 0810e0d459c91dee6a5adedc15d43f39 17784 python optional python-2play_0.1.8-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDMcl6sczZcpAmcIYRAif1AJ4lF7c3Z3T6/+eu2y+i+plJxYpX2gCgnG9O
1yLGHx8OF2GSTm4bhSwf71M=
=YTug
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#326976; Package py2play. (full text, mbox, link).


Acknowledgement sent to Arc <arc@Xiph.org>:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>. (full text, mbox, link).


Message #29 received at 326976@bugs.debian.org (full text, mbox, reply):

From: Arc <arc@Xiph.org>
To: 326976@bugs.debian.org
Subject: Re: Bug#326976 acknowledged by developer (Bug#326976: fixed in py2play 0.1.8-1)
Date: Wed, 21 Sep 2005 18:19:03 -0700
On Wed, Sep 21, 2005 at 04:48:30PM -0700, Debian Bug Tracking System wrote:
> 
> We believe that the bug you reported is fixed in the latest version of
> py2play, which is due to be installed in the Debian FTP archive:

You are incorrect.  This bug is part of py2play's API, it is unlikely it 
will be fixed without a complete rewrite, which is unlikely since it's 
developer has abandoned it acknowledging it's faulty design (using TCP) 
and security problems.
 
-- 

Diversity is the Fuel of Evolution, 
 Conformity it's Starvation.
Be Radical.  Be New.  Be Different. 
Feed Evolution with Everything You Are.



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#326976; Package py2play. (full text, mbox, link).


Acknowledgement sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #34 received at 326976@bugs.debian.org (full text, mbox, reply):

From: Marc Dequènes (Duck) <Duck@DuckCorp.org>
To: Arc <arc@Xiph.org>
Cc: 326976@bugs.debian.org
Subject: Re: Bug#326976: acknowledged by developer (Bug#326976: fixed in py2play 0.1.8-1)
Date: Thu, 22 Sep 2005 10:48:41 +0200
[Message part 1 (text/plain, inline)]
Coin,

Arc <arc@Xiph.org> writes:

> You are incorrect.  This bug is part of py2play's API, it is unlikely it 
> will be fixed without a complete rewrite, which is unlikely since it's 
> developer has abandoned it acknowledging it's faulty design (using TCP) 
> and security problems.

I do not understand why i'm incorrect out of your explanation...

Py2play must die, but it is NOT currently possible. Slune needs py2play
main loop to work at all, and this fix preserve the loop while
deactivating the network mode, thus removing the security flaw. So, thi
bug _IS_ fixed.

Rewrite happening or not is not my problem, this is upstream's choice ;
Slune, the only program in Debian using py2play, can work nicely without
network mode, and thus everything is fine. Tofu is another problem and
is not packaged yet.

I'll try to get the author to readd a proper network mode when a revised
tofu or another implementation is correctly done, or if i cannot, push
him to take the py2play depends away and remove the package
completly. Fact is we cannot remove a package from a released version
(Sarge) and such a fix handle the problem with a very short amount of
diff lines, making security team happier.

I should add a warning in the py2play description to avoid ppl using
this pkg.

If you still think i'm wrong, what would you do to handle the problem
then ?

-- 
Marc Dequènes (Duck)
[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 14:38:37 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:59:27 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.