Debian Bug report logs - #504363
epiphany-browser: Python plugins load modules from current directory

version graph

Package: epiphany-browser; Maintainer for epiphany-browser is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>; Source for epiphany-browser is src:epiphany-browser (PTS, buildd, popcon).

Reported by: James Vega <jamessan@debian.org>

Date: Mon, 3 Nov 2008 02:48:02 UTC

Severity: grave

Tags: patch, security, upstream

Found in versions epiphany-browser/2.22.3-6, epiphany-browser/2.14.3-5

Fixed in version epiphany-browser/2.22.3-7

Done: Josselin Mouette <joss@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, unknown-package@qa.debian.org:
Bug#504363; Package ephiphany-browser. (Mon, 03 Nov 2008 02:48:04 GMT) (full text, mbox, link).


Acknowledgement sent to James Vega <jamessan@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, unknown-package@qa.debian.org. (Mon, 03 Nov 2008 02:48:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: James Vega <jamessan@debian.org>
To: submit@bugs.debian.org
Subject: epiphany-browser: Python plugins load modules from current directory
Date: Sun, 2 Nov 2008 21:42:41 -0500
[Message part 1 (text/plain, inline)]
Package: ephiphany-browser
Version: 2.22.3-6
Severity: grave
Tags: security patch upstream
Justification: user security hole
Usertags: pythonpath

Epiphany's python interface calls PySys_SetArgv with an argv[0] that
doesn't resolve to a filename.  This causes Python to prepend sys.path
with an empty string which, due to the use of relative imports, allows
the possibility to run arbitrary code on the user's system if a file in
their working directory matches the name of a python module epiphany
tries to import.

This should be fixed by Python 2.6 as it uses absolute imports by
default, but I have not been able to test it and this still needs a fix
for packages built against/used with the currently supported versions of
Python.

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>
[sanitize_sys.path.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Bug marked as found in version 2.14.3-5. Request was from James Vega <jamessan@debian.org> to control@bugs.debian.org. (Mon, 03 Nov 2008 02:57:06 GMT) (full text, mbox, link).


Bug reassigned from package `ephiphany-browser' to `epiphany-browser'. Request was from James Vega <jamessan@debian.org> to control@bugs.debian.org. (Mon, 03 Nov 2008 02:57:08 GMT) (full text, mbox, link).


Bug marked as found in version 2.14.3-5. Request was from James Vega <jamessan@debian.org> to control@bugs.debian.org. (Mon, 03 Nov 2008 02:57:09 GMT) (full text, mbox, link).


Reply sent to Josselin Mouette <joss@debian.org>:
You have taken responsibility. (Mon, 10 Nov 2008 15:33:08 GMT) (full text, mbox, link).


Notification sent to James Vega <jamessan@debian.org>:
Bug acknowledged by developer. (Mon, 10 Nov 2008 15:33:09 GMT) (full text, mbox, link).


Message #16 received at 504363-close@bugs.debian.org (full text, mbox, reply):

From: Josselin Mouette <joss@debian.org>
To: 504363-close@bugs.debian.org
Subject: Bug#504363: fixed in epiphany-browser 2.22.3-7
Date: Mon, 10 Nov 2008 15:02:04 +0000
Source: epiphany-browser
Source-Version: 2.22.3-7

We believe that the bug you reported is fixed in the latest version of
epiphany-browser, which is due to be installed in the Debian FTP archive:

epiphany-browser-data_2.22.3-7_all.deb
  to pool/main/e/epiphany-browser/epiphany-browser-data_2.22.3-7_all.deb
epiphany-browser-dbg_2.22.3-7_amd64.deb
  to pool/main/e/epiphany-browser/epiphany-browser-dbg_2.22.3-7_amd64.deb
epiphany-browser-dev_2.22.3-7_all.deb
  to pool/main/e/epiphany-browser/epiphany-browser-dev_2.22.3-7_all.deb
epiphany-browser_2.22.3-7.diff.gz
  to pool/main/e/epiphany-browser/epiphany-browser_2.22.3-7.diff.gz
epiphany-browser_2.22.3-7.dsc
  to pool/main/e/epiphany-browser/epiphany-browser_2.22.3-7.dsc
epiphany-browser_2.22.3-7_all.deb
  to pool/main/e/epiphany-browser/epiphany-browser_2.22.3-7_all.deb
epiphany-gecko_2.22.3-7_amd64.deb
  to pool/main/e/epiphany-browser/epiphany-gecko_2.22.3-7_amd64.deb
epiphany-webkit_2.22.3-7_amd64.deb
  to pool/main/e/epiphany-browser/epiphany-webkit_2.22.3-7_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 504363@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Josselin Mouette <joss@debian.org> (supplier of updated epiphany-browser package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 10 Nov 2008 15:29:28 +0100
Source: epiphany-browser
Binary: epiphany-browser epiphany-gecko epiphany-webkit epiphany-browser-data epiphany-browser-dev epiphany-browser-dbg
Architecture: source amd64 all
Version: 2.22.3-7
Distribution: unstable
Urgency: low
Maintainer: Josselin Mouette <joss@debian.org>
Changed-By: Josselin Mouette <joss@debian.org>
Description: 
 epiphany-browser - Intuitive web browser - dummy package
 epiphany-browser-data - Data files for the GNOME web browser
 epiphany-browser-dbg - Debugging symbols for the GNOME web browser
 epiphany-browser-dev - Development files for the GNOME web browser
 epiphany-gecko - Intuitive GNOME web browser - Gecko version
 epiphany-webkit - Intuitive GNOME web browser - webkit version
Closes: 504363
Changes: 
 epiphany-browser (2.22.3-7) unstable; urgency=low
 .
   [ Josselin Mouette ]
   * certManager.js: fix JS variable declaration.
 .
   [ Emilio Pozuelo Monfort ]
   * debian/control.in: move Homepage field to the source stanza.
 .
   [ Josselin Mouette ]
   * 08_python_path.patch: new patch by James Vega. Disable relative
     imports in the python code. Closes: #504363.
Checksums-Sha1: 
 5a23434c1ec45ffe4701eaef8c72476ba1d68f85 2044 epiphany-browser_2.22.3-7.dsc
 23f6784fe385ec34c45259d3a31deeabc04153de 48629 epiphany-browser_2.22.3-7.diff.gz
 fd91850d2a868dcaaa03174beb62f9331a46b6cb 551380 epiphany-gecko_2.22.3-7_amd64.deb
 c047b00921f93508601e72532f995d547c21b5b8 382458 epiphany-webkit_2.22.3-7_amd64.deb
 7e76a50e8fa0647f9d4b9bf36946c1c886c907ff 3046990 epiphany-browser-dbg_2.22.3-7_amd64.deb
 bc8f807b166758f84e4e38a6b9713d15a1441b3a 18198 epiphany-browser_2.22.3-7_all.deb
 bbb0c7ae51dd768351a68329486eef4c5e47eeed 6282908 epiphany-browser-data_2.22.3-7_all.deb
 470e8302dcdfdbd12a7c23433c15482753248c3c 84976 epiphany-browser-dev_2.22.3-7_all.deb
Checksums-Sha256: 
 bb99477e1b1cce34331f507b514f01cd36848fed217911a37b32d74ba1cef4ea 2044 epiphany-browser_2.22.3-7.dsc
 d0801817cccdbb51e7da2076f0c2df0182b20f0abf95e73f398cdf08e165dad8 48629 epiphany-browser_2.22.3-7.diff.gz
 ff7201b1b5ec217b9ca89b0fa9a6ae52ad64dad3efe857497577b41b64c784b0 551380 epiphany-gecko_2.22.3-7_amd64.deb
 518ca94579df05003d242dde87206b535c9ba7923fd77e9f7507ad62e826bb7d 382458 epiphany-webkit_2.22.3-7_amd64.deb
 abced8b0f0cf6fd8a1f05162bc0d2e4af27254648aa674b33e2fd59cc60a23b7 3046990 epiphany-browser-dbg_2.22.3-7_amd64.deb
 bab31d315fcde5efbb1e125438b6abfddf7dd1ffee4d3842cb0354b49d3ba327 18198 epiphany-browser_2.22.3-7_all.deb
 dbc863b2a0709134c936197c59103ce28aa5f5456845026f4e89b619c2a25d01 6282908 epiphany-browser-data_2.22.3-7_all.deb
 043d7026d25caadc04b09cd8cbb6181d069b515d812aeba7fd943682079a630d 84976 epiphany-browser-dev_2.22.3-7_all.deb
Files: 
 bf8c584aa8d523d4ab2b05ce2518ae6d 2044 gnome optional epiphany-browser_2.22.3-7.dsc
 f2bfdc88260086855ba01046c1af8008 48629 gnome optional epiphany-browser_2.22.3-7.diff.gz
 b2e47caaea883f9db5acc1aab7345ed4 551380 gnome optional epiphany-gecko_2.22.3-7_amd64.deb
 948370f79534121b6d35d8589da5cb46 382458 gnome optional epiphany-webkit_2.22.3-7_amd64.deb
 912d5154f22528470addab1e217c427b 3046990 gnome extra epiphany-browser-dbg_2.22.3-7_amd64.deb
 b45807cf0a0dd4a7d6d8ed78ee1f5739 18198 gnome optional epiphany-browser_2.22.3-7_all.deb
 b1423735359471300fe38cd0e0daf9f7 6282908 gnome optional epiphany-browser-data_2.22.3-7_all.deb
 f088b1758089a43aa168476f4b94056e 84976 devel optional epiphany-browser-dev_2.22.3-7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJGEmqrSla4ddfhTMRAhPaAJ4xDmw5bDfolwj1UqubU4I3JXnhegCfTW8k
T+kQZZr+fx/ZKbj28Pdu4Qg=
=0OuI
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Josselin Mouette <joss@debian.org>:
Bug#504363; Package epiphany-browser. (Sat, 22 Nov 2008 02:06:05 GMT) (full text, mbox, link).


Acknowledgement sent to Diego Escalante Urrelo <dieguito@gmail.com>:
Extra info received and forwarded to list. Copy sent to Josselin Mouette <joss@debian.org>. (Sat, 22 Nov 2008 02:06:05 GMT) (full text, mbox, link).


Message #21 received at 504363@bugs.debian.org (full text, mbox, reply):

From: Diego Escalante Urrelo <dieguito@gmail.com>
To: James Vega <jamessan@debian.org>
Cc: 504363@bugs.debian.org
Subject: Upstream Python path bugs please
Date: Fri, 21 Nov 2008 21:04:18 -0500
Hey James,

would you please take a minute to file the Python path patches upstream
in bugzilla.gnome.org? We will appreciate it.
Please do so for the following products that share this code: nautilus,
totem, epiphany, eog. I might be missing one, so don't feel restricted
to only those :-).

Thanks in advance!

Diego





Information forwarded to debian-bugs-dist@lists.debian.org, Josselin Mouette <joss@debian.org>:
Bug#504363; Package epiphany-browser. (Thu, 04 Dec 2008 20:27:06 GMT) (full text, mbox, link).


Acknowledgement sent to James Vega <jamessan@debian.org>:
Extra info received and forwarded to list. Copy sent to Josselin Mouette <joss@debian.org>. (Thu, 04 Dec 2008 20:27:07 GMT) (full text, mbox, link).


Message #26 received at 504363@bugs.debian.org (full text, mbox, reply):

From: James Vega <jamessan@debian.org>
To: 503632@bugs.debian.org, 504251@bugs.debian.org, 504352@bugs.debian.org, 504359@bugs.debian.org, 504363@bugs.debian.org
Subject: Suggested patch isn't applicable to all OSes
Date: Thu, 4 Dec 2008 15:23:47 -0500
[Message part 1 (text/plain, inline)]
As I discovered while discussing the Python path patch with Vim's
upstream[0], the patch I suggested to fix these bugs only works if the
libc follows SUS' definition[1] of how realpath(3) works.

Specifically, it must return NULL when given an empty string for the
path.  At least FreeBSD instead returns the current working directory of
the process[2], which means that removing the empty elements from
sys.path no longer has an effect.

When sending bug reports to your respective upstream, I'd suggest either
adjusting the patch to simply remove the first element of sys.path or
give a garbage path to PySys_SetArgv and explicitly filter that out of
sys.path (as was done by Vim's upstream[3]).

[0] - http://bugs.debian.org/493937
[1] - http://www.opengroup.org/onlinepubs/009695399/functions/realpath.html
[2] - http://www.freebsd.org/cgi/query-pr.cgi?pr=128933
[3] - http://ftp.vim.org/pub/vim/patches/7.2/7.2.045
-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Josselin Mouette <joss@debian.org>:
Bug#504363; Package epiphany-browser. (Thu, 04 Dec 2008 20:33:03 GMT) (full text, mbox, link).


Acknowledgement sent to James Vega <jamessan@debian.org>:
Extra info received and forwarded to list. Copy sent to Josselin Mouette <joss@debian.org>. (Thu, 04 Dec 2008 20:33:03 GMT) (full text, mbox, link).


Message #31 received at 504363@bugs.debian.org (full text, mbox, reply):

From: James Vega <jamessan@debian.org>
To: Diego Escalante Urrelo <dieguito@gmail.com>
Cc: 504363@bugs.debian.org
Subject: Re: Upstream Python path bugs please
Date: Thu, 4 Dec 2008 15:28:31 -0500
[Message part 1 (text/plain, inline)]
On Fri, Nov 21, 2008 at 09:04:18PM -0500, Diego Escalante Urrelo wrote:
> would you please take a minute to file the Python path patches upstream
> in bugzilla.gnome.org? We will appreciate it.

I don't have a bugzilla account for Gnome and would appreciate it if the
package maintainers could push this upstream instead as they likely
already have one.

> Please do so for the following products that share this code: nautilus,
> totem, epiphany, eog. I might be missing one, so don't feel restricted
> to only those :-).

I'm still working through the list of packages I've found albeit not as
fast as I would've liked.  All of the projects you mentioned are in the
list and will (if they haven't already) will have Debian bugs opened for
the problem.

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 09:37:49 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:34:58 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.