Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Dia Team <pkg-dia-team@lists.alioth.debian.org>: Bug#504251; Package dia.
(Sun, 02 Nov 2008 05:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to James Vega <jamessan@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Dia Team <pkg-dia-team@lists.alioth.debian.org>.
(Sun, 02 Nov 2008 05:24:04 GMT) (full text, mbox, link).
Package: dia
Version: 0.96.1-7
Severity: grave
Tags: security patch
Justification: user security hole
Usertags: pythonpath
dia's python interface calls PySys_SetArgv such that Python prepends
sys.path with an empty string. This allows the possibility to run
arbitrary code on the user's system if there is a python file in dia's
working directory named the same as one that dia's python scripts try to
import.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages dia depends on:
pn dia-common <none> (no description available)
pn dia-libs <none> (no description available)
ii libart-2.0-2 2.3.20-2 Library of functions for 2D graphi
ii libatk1.0-0 1.22.0-1 The ATK accessibility toolkit
ii libc6 2.7-15 GNU C Library: Shared libraries
ii libcairo2 1.6.4-6.1 The Cairo 2D vector graphics libra
ii libfontconfig1 2.6.0-1 generic font configuration library
ii libfreetype6 2.3.7-2 FreeType 2 font engine, shared lib
ii libglib2.0-0 2.16.6-1 The GLib library of C routines
ii libgtk2.0-0 2.12.11-4 The GTK+ graphical user interface
ii libpango1.0-0 1.20.5-3 Layout and rendering of internatio
ii libpng12-0 1.2.27-2 PNG library - runtime
ii libpopt0 1.14-4 lib for parsing cmdline parameters
ii libxml2 2.6.32.dfsg-4 GNOME XML library
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages dia recommends:
ii gsfonts-x11 0.21 Make Ghostscript fonts available t
dia suggests no packages.
Bug marked as found in version 0.95.0-4.1.
Request was from Raphael Geissert <atomo64@gmail.com>
to control@bugs.debian.org.
(Sun, 02 Nov 2008 06:27:03 GMT) (full text, mbox, link).
Tags added: upstream
Request was from James Vega <jamessan@debian.org>
to control@bugs.debian.org.
(Mon, 03 Nov 2008 03:03:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Dia Team <pkg-dia-team@lists.alioth.debian.org>: Bug#504251; Package dia.
(Sat, 15 Nov 2008 21:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Reichle-Schmehl <tolimar@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Dia Team <pkg-dia-team@lists.alioth.debian.org>.
(Sat, 15 Nov 2008 21:51:03 GMT) (full text, mbox, link).
Tags added: patch
Request was from Alexander Reichle-Schmehl <tolimar@debian.org>
to control@bugs.debian.org.
(Sat, 15 Nov 2008 21:51:05 GMT) (full text, mbox, link).
Reply sent
to Alexander Reichle-Schmehl <tolimar@debian.org>:
You have taken responsibility.
(Sat, 15 Nov 2008 22:27:15 GMT) (full text, mbox, link).
Notification sent
to James Vega <jamessan@debian.org>:
Bug acknowledged by developer.
(Sat, 15 Nov 2008 22:27:16 GMT) (full text, mbox, link).
From: Alexander Reichle-Schmehl <tolimar@debian.org>
To: 504251-close@bugs.debian.org
Subject: Bug#504251: fixed in dia 0.96.1-7.1
Date: Sat, 15 Nov 2008 22:02:05 +0000
Source: dia
Source-Version: 0.96.1-7.1
We believe that the bug you reported is fixed in the latest version of
dia, which is due to be installed in the Debian FTP archive:
dia-common_0.96.1-7.1_all.deb
to pool/main/d/dia/dia-common_0.96.1-7.1_all.deb
dia-gnome_0.96.1-7.1_i386.deb
to pool/main/d/dia/dia-gnome_0.96.1-7.1_i386.deb
dia-libs_0.96.1-7.1_i386.deb
to pool/main/d/dia/dia-libs_0.96.1-7.1_i386.deb
dia_0.96.1-7.1.diff.gz
to pool/main/d/dia/dia_0.96.1-7.1.diff.gz
dia_0.96.1-7.1.dsc
to pool/main/d/dia/dia_0.96.1-7.1.dsc
dia_0.96.1-7.1_i386.deb
to pool/main/d/dia/dia_0.96.1-7.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 504251@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl <tolimar@debian.org> (supplier of updated dia package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 15 Nov 2008 22:11:35 +0100
Source: dia
Binary: dia-common dia-libs dia dia-gnome
Architecture: source all i386
Version: 0.96.1-7.1
Distribution: unstable
Urgency: low
Maintainer: Debian Dia Team <pkg-dia-team@lists.alioth.debian.org>
Changed-By: Alexander Reichle-Schmehl <tolimar@debian.org>
Description:
dia - Diagram editor
dia-common - Diagram editor (common files)
dia-gnome - Diagram editor (GNOME version)
dia-libs - Diagram editor (library files)
Closes: 504251
Changes:
dia (0.96.1-7.1) unstable; urgency=low
.
* Non-maintainer upload.
* Applying patch by James Vega to solve module import problem
(Closes: #504251)
Checksums-Sha1:
da0f1e840303dcad56d4cd41288b20f0312fc34c 1352 dia_0.96.1-7.1.dsc
6c99804836823bd201854dc972413f9459ef81f9 99219 dia_0.96.1-7.1.diff.gz
1752075d60595e89900b0ebb097c1857e2827bdd 4114168 dia-common_0.96.1-7.1_all.deb
81efe5af2301d94b662a45a006c4e39c7d0c9a47 716604 dia-libs_0.96.1-7.1_i386.deb
1930ba01527f83b3b724b1beb90a66db25706457 192482 dia_0.96.1-7.1_i386.deb
c32255e3d8858d70c2560b41fe0058bd942ee1a3 193430 dia-gnome_0.96.1-7.1_i386.deb
Checksums-Sha256:
ed4350897f8bf083b552ab717f0dce3b75dad2e5d1862886be6995870f6f363e 1352 dia_0.96.1-7.1.dsc
2f8fb2cceb9e6692fa0f363b6a844c3605a65a6b195b0478bd7ad8313cceb977 99219 dia_0.96.1-7.1.diff.gz
39552adf5fad8f8e4dd56f67b189c604e1327ec7225e4ab972bdaed8f31101b7 4114168 dia-common_0.96.1-7.1_all.deb
66b586b73e851f503e8b31691e3e98689979ff06a1c4fbc1b9f07e2f379842d5 716604 dia-libs_0.96.1-7.1_i386.deb
0ccf34b133259564112b12eabd246022a06b4b705c1a2570df44b75553757aa2 192482 dia_0.96.1-7.1_i386.deb
14820d3a2631be8bd55794cc3224b542be07c095c18773349ea310b158cf2a8d 193430 dia-gnome_0.96.1-7.1_i386.deb
Files:
c026ecc8e048b62c65b79a74e603beab 1352 graphics optional dia_0.96.1-7.1.dsc
3beb636e7057fb512d54bfd86d199204 99219 graphics optional dia_0.96.1-7.1.diff.gz
364734a637cbe18dfad7fa35cea0ba46 4114168 graphics optional dia-common_0.96.1-7.1_all.deb
90561d15ec6d2b82d7377effa10e3110 716604 graphics optional dia-libs_0.96.1-7.1_i386.deb
a75dce54d3c271c4868503a764ac285e 192482 graphics optional dia_0.96.1-7.1_i386.deb
f375a8acb43e98af2609ac1f93bedfa6 193430 gnome optional dia-gnome_0.96.1-7.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkfQXAACgkQBxd04ADYzRbtDwCeIPjAc6rStoniQ6IYDkb6xkb2
yuwAoJk+k13ZrXAlpjDJ+vtery08rPUs
=Mu3+
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Dia Team <pkg-dia-team@lists.alioth.debian.org>: Bug#504251; Package dia.
(Thu, 04 Dec 2008 20:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to James Vega <jamessan@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Dia Team <pkg-dia-team@lists.alioth.debian.org>.
(Thu, 04 Dec 2008 20:27:03 GMT) (full text, mbox, link).
As I discovered while discussing the Python path patch with Vim's
upstream[0], the patch I suggested to fix these bugs only works if the
libc follows SUS' definition[1] of how realpath(3) works.
Specifically, it must return NULL when given an empty string for the
path. At least FreeBSD instead returns the current working directory of
the process[2], which means that removing the empty elements from
sys.path no longer has an effect.
When sending bug reports to your respective upstream, I'd suggest either
adjusting the patch to simply remove the first element of sys.path or
give a garbage path to PySys_SetArgv and explicitly filter that out of
sys.path (as was done by Vim's upstream[3]).
[0] - http://bugs.debian.org/493937
[1] - http://www.opengroup.org/onlinepubs/009695399/functions/realpath.html
[2] - http://www.freebsd.org/cgi/query-pr.cgi?pr=128933
[3] - http://ftp.vim.org/pub/vim/patches/7.2/7.2.045
--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.