Debian Bug report logs - #661272
python-virtualenv: security fix leaves behind orphaned temporary directories

version graph

Package: python-virtualenv; Maintainer for python-virtualenv is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>; Source for python-virtualenv is src:python-virtualenv.

Reported by: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 25 Feb 2012 19:51:01 UTC

Severity: normal

Tags: upstream

Found in version python-virtualenv/1.6-1

Fixed in versions python-virtualenv/1.7.1.2-1, python-virtualenv/1.4.9-3squeeze1

Done: Stefano Rivera <stefanor@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/pypa/virtualenv/pull/231

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#661272; Package python-virtualenv. (Sat, 25 Feb 2012 19:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
New Bug report received and forwarded. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Sat, 25 Feb 2012 19:51:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: submit@bugs.debian.org
Cc: 652653@bugs.debian.org, debian-release@lists.debian.org
Subject: python-virtualenv: security fix leaves behind orphaned temporary directories
Date: Sat, 25 Feb 2012 19:47:01 +0000
Package: python-virtualenv
Version: 1.6-1

[Let's make this a proper bug report]

On Tue, 2011-12-20 at 20:18 +0000, Adam D. Barratt wrote:
> On Tue, 2011-12-20 at 09:44 +0100, Piotr Ożarowski wrote:
> > [Adam D. Barratt, 2011-12-19]
> > > Looking at the diff, and the equivalent code in the unstable package,
> > > there seems to be a missing component - namely, that the directory
> > > created via mkdtemp() is never cleaned up.  Am I missing something, or
> > > does fixing this issue result in orphaned temporary directories?
> > 
> > the old code didn't do it as well,
> 
> Well, trying to remove /tmp would be a silly idea. ;-)
> 
> > I can update the patch to remove it
> 
> That would be good, although in that case the change should be made in
> unstable first (and pushed upstream?).

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#661272; Package python-virtualenv. (Sat, 25 Feb 2012 20:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefano Rivera <stefanor@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Sat, 25 Feb 2012 20:18:03 GMT) Full text and rfc822 format available.

Message #10 received at 661272@bugs.debian.org (full text, mbox):

From: Stefano Rivera <stefanor@debian.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 661272@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#661272: python-virtualenv: security fix leaves behind orphaned temporary directories
Date: Sat, 25 Feb 2012 22:15:13 +0200
tag 661272 upstream
forwarded 661272 https://github.com/pypa/virtualenv/pull/231
thanks

> > That would be good, although in that case the change should be made in
> > unstable first (and pushed upstream?).

Pushed upstream.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  H: +27 21 465 6908 C: +27 72 419 8559  UCT: x3127




Added tag(s) upstream. Request was from Stefano Rivera <stefanor@debian.org> to control@bugs.debian.org. (Sat, 25 Feb 2012 20:18:05 GMT) Full text and rfc822 format available.

Set Bug forwarded-to-address to 'https://github.com/pypa/virtualenv/pull/231'. Request was from Stefano Rivera <stefanor@debian.org> to control@bugs.debian.org. (Sat, 25 Feb 2012 20:18:05 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from stefanor@users.alioth.debian.org to control@bugs.debian.org. (Sun, 22 Apr 2012 15:33:07 GMT) Full text and rfc822 format available.

Reply sent to Stefano Rivera <stefanor@debian.org>:
You have taken responsibility. (Sun, 22 Apr 2012 18:03:11 GMT) Full text and rfc822 format available.

Notification sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Bug acknowledged by developer. (Sun, 22 Apr 2012 18:03:11 GMT) Full text and rfc822 format available.

Message #21 received at 661272-close@bugs.debian.org (full text, mbox):

From: Stefano Rivera <stefanor@debian.org>
To: 661272-close@bugs.debian.org
Subject: Bug#661272: fixed in python-virtualenv 1.7.1.2-1
Date: Sun, 22 Apr 2012 18:02:36 +0000
Source: python-virtualenv
Source-Version: 1.7.1.2-1

We believe that the bug you reported is fixed in the latest version of
python-virtualenv, which is due to be installed in the Debian FTP archive:

python-virtualenv_1.7.1.2-1.debian.tar.gz
  to main/p/python-virtualenv/python-virtualenv_1.7.1.2-1.debian.tar.gz
python-virtualenv_1.7.1.2-1.dsc
  to main/p/python-virtualenv/python-virtualenv_1.7.1.2-1.dsc
python-virtualenv_1.7.1.2-1_all.deb
  to main/p/python-virtualenv/python-virtualenv_1.7.1.2-1_all.deb
python-virtualenv_1.7.1.2.orig.tar.gz
  to main/p/python-virtualenv/python-virtualenv_1.7.1.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 661272@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefano Rivera <stefanor@debian.org> (supplier of updated python-virtualenv package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 22 Apr 2012 17:34:40 +0200
Source: python-virtualenv
Binary: python-virtualenv
Architecture: source all
Version: 1.7.1.2-1
Distribution: unstable
Urgency: low
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Stefano Rivera <stefanor@debian.org>
Description: 
 python-virtualenv - Python virtual environment creator
Closes: 661272 663228
Changes: 
 python-virtualenv (1.7.1.2-1) unstable; urgency=low
 .
   [ Clint Byrum ]
   * New upstream release. (LP: #986227)
   * d/p/pep3147-dist-packges.patch - Dropped, applied upstream
   * d/p/remove_syspath0_on_reinvoke.patch - Dropped, applied upstream
 .
   [ Stefano Rivera ]
   * system-python.patch: Use /usr/bin/python in the shebang
     (Closes: #663228, LP: #737734)
   * cleanup_tmpdirs.patch: Cleanup temporary working directories
     (Closes: #661272)
     - rebuild_script.patch: Include rebuild_script.py. The tmpdir patch
       touches some embedded files.
     - Rebuild virtualenv.py during package build.
   * Bumped standards version to 3.9.3 (no changes needed).
   * Add myself to Uploaders.
   * Wrap long lists in debian/control.
Checksums-Sha1: 
 e11455bc5f718d70c56d735df247565d6eace0e2 2206 python-virtualenv_1.7.1.2-1.dsc
 61aa9e69dee3f5e33cb763d06f0faa41ba77a5f1 2138019 python-virtualenv_1.7.1.2.orig.tar.gz
 918c7e4059419a22710031a3c19194aaef2d2d53 13680 python-virtualenv_1.7.1.2-1.debian.tar.gz
 f277678792373e5dc58e876592a3a0c77449798a 2116616 python-virtualenv_1.7.1.2-1_all.deb
Checksums-Sha256: 
 787bda13ff2ae94c12f7884605303d416f1fe5dafc23a0575ffa34dd20161cd5 2206 python-virtualenv_1.7.1.2-1.dsc
 9f23c47e167f127268cf6777caf613280cf066b32c0183581bf79eab5ccc907e 2138019 python-virtualenv_1.7.1.2.orig.tar.gz
 3ca9652023b348be0b3d3b6cfa4d6bd0841140cc869fcac4fcfeb870a37eb9d1 13680 python-virtualenv_1.7.1.2-1.debian.tar.gz
 49443ca576bda535d0f391ba01782f060237a34f00cd0f93bf1bc5533b31ec93 2116616 python-virtualenv_1.7.1.2-1_all.deb
Files: 
 391fe4ec15710790c1ec8b3fd04b37f9 2206 python optional python-virtualenv_1.7.1.2-1.dsc
 3be8a014c27340f48b56465f9109d9fa 2138019 python optional python-virtualenv_1.7.1.2.orig.tar.gz
 7fc10b9b413dca67cf4cfc642e6a69a7 13680 python optional python-virtualenv_1.7.1.2-1.debian.tar.gz
 c345926e21e943289553fba9abbe662b 2116616 python optional python-virtualenv_1.7.1.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJPlEPDAAoJEACQ/CG1zRrMHxAP/3PCk5KO/LdYqEu9uAdqXc9l
ExduFzSJd8ZmV7rKs3Bg7BrorsGnCjT08PI36kjUkYU3PDWKwvR1Hk4zRQzay3xX
DYr4L5hw3VOyFjBcTdB9sVDQ4QSzbHPevRtWy4vEJookeQCpKZV/IIuG/VK0a335
0+c4odBQ747hdPYgrknwVsL3FjDbQpISLKYlG3pTnm4CaGeKvTJhlBqWOvrLtlCY
T4L1AyYWuGlRD9KTcCFHU30+YowV6qvATbslbuTRcDK+G6zhdLHo55A14ywDLwpG
tfe6vBbRUvF+MQkcxKdMJHsdZcTxKaB8Q0vOm5bcIa1K4LKgFgbi1sfPLKWd+ekq
l1BLZ81Xv7OIg3HccUO11cMt83Ozc6M+qkTE2LjXm0UTXjTmtd43WRdH9I9AsNlh
k6fffFQIT8a9odaGw8S0/yu3RkuCHQD/BIiQnXKw9EG6Am/VyuFTLij5kIvURttq
/nOjE+HWpjnz4RUHayvXB6SfM/yjZ+4nYpcezwJZEwhfml1NgE/MtvMm7BLjOtcc
KYdIRa5gyT0PPihQ/0K+IJEc/YKBYazq40BAjwvdhW4Tpodydd5LjUcmI3VirB4X
eZArqbLDDBGT7O1HO2NzAnZh3SY3N6vlrniCiYZt98moXEDGIuWuDVEtF6vV0GB3
tJ/Jtz2yHLW9nXL/i6qQ
=Mk0j
-----END PGP SIGNATURE-----





Reply sent to Stefano Rivera <stefanor@debian.org>:
You have taken responsibility. (Sat, 05 May 2012 12:33:04 GMT) Full text and rfc822 format available.

Notification sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Bug acknowledged by developer. (Sat, 05 May 2012 12:33:12 GMT) Full text and rfc822 format available.

Message #26 received at 661272-close@bugs.debian.org (full text, mbox):

From: Stefano Rivera <stefanor@debian.org>
To: 661272-close@bugs.debian.org
Subject: Bug#661272: fixed in python-virtualenv 1.4.9-3squeeze1
Date: Sat, 05 May 2012 11:47:08 +0000
Source: python-virtualenv
Source-Version: 1.4.9-3squeeze1

We believe that the bug you reported is fixed in the latest version of
python-virtualenv, which is due to be installed in the Debian FTP archive:

python-virtualenv_1.4.9-3squeeze1.debian.tar.gz
  to main/p/python-virtualenv/python-virtualenv_1.4.9-3squeeze1.debian.tar.gz
python-virtualenv_1.4.9-3squeeze1.dsc
  to main/p/python-virtualenv/python-virtualenv_1.4.9-3squeeze1.dsc
python-virtualenv_1.4.9-3squeeze1_all.deb
  to main/p/python-virtualenv/python-virtualenv_1.4.9-3squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 661272@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefano Rivera <stefanor@debian.org> (supplier of updated python-virtualenv package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 04 May 2012 20:31:24 +0200
Source: python-virtualenv
Binary: python-virtualenv
Architecture: source all
Version: 1.4.9-3squeeze1
Distribution: stable
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Stefano Rivera <stefanor@debian.org>
Description: 
 python-virtualenv - Python virtual environment creator
Closes: 652653 661272
Changes: 
 python-virtualenv (1.4.9-3squeeze1) stable; urgency=high
 .
   [ Piotr Ożarowski ]
   * Apply upstream's 8be37c509fe5 commit (to use proper temp. dir instead of
     /tmp) (CVE-2011-4617, Closes: #652653)
 .
   [ Stefano Rivera ]
   * Team upload.
   * Backport cleanup_tmpdirs.patch from 1.7.1.2-1.
     Cleanup temporary working directories. (Closes: #661272)
Checksums-Sha1: 
 546ba2a239df59a736988ad4c43481764abb9c74 2154 python-virtualenv_1.4.9-3squeeze1.dsc
 754016e6a2e5300776b8d8a25df101297ebaf64a 22226 python-virtualenv_1.4.9-3squeeze1.debian.tar.gz
 34d6aee33caa10e7dc6a7f8a3fe7120f620283ad 1507028 python-virtualenv_1.4.9-3squeeze1_all.deb
Checksums-Sha256: 
 5540b3aaed0e0f6ea180e2bf4212b878e374e9c9ff75619bdce5c6e9495a17ad 2154 python-virtualenv_1.4.9-3squeeze1.dsc
 2e04fd719f5f33af567b10c1e03e384dabccb9a39223b47b48c7d50958b1b9c5 22226 python-virtualenv_1.4.9-3squeeze1.debian.tar.gz
 3dd45720f5c86e04993cd849988e0caca651e4eb292ceaec91782ce066dc7195 1507028 python-virtualenv_1.4.9-3squeeze1_all.deb
Files: 
 890e641dce1ed40b066def6eefd15d9a 2154 python optional python-virtualenv_1.4.9-3squeeze1.dsc
 721d356b2146aac73a7a4e4d8e83086a 22226 python optional python-virtualenv_1.4.9-3squeeze1.debian.tar.gz
 ce7b373c09b041cb1aeab20d3c21db99 1507028 python optional python-virtualenv_1.4.9-3squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJPpDftAAoJEACQ/CG1zRrMUYMP/ibc3FC9YaEuh9j+gDkF4OUb
HZvGB5wlDwkCxMB4wmuAf+H6bnxAI0FhkTYZYxDbn/nxhFeZetFwTK3asfXy9L/m
p9shXg1mP3a79P1E761qpj3+cVvQHPH6rNwEF3jqET4zHgwoymueC56IA11GeARM
+qqn5aGMJZEEikvL3NULz0MBVxrsphlIvh5kP1EyK7EmAHrOv1FL/cIIve9QvhRa
rgU1pUak0wcup87Z8VH5PdiSF8bbB+qEfQYC9iSm6WdpJLZF8jOzeOQkFTQPwxmB
Ozdrhs1Z42RxRcPWiAET5uR46nF+gEBWMQGLMQ7/PKxR9v0fsmFeGgZ64fT+006Z
aKwObBLO6+vLSWWOtuefPoIzawm9i+MAMPfYdbzDB5bpHO3UvIcQ1koQlkqmhiFT
aAKhrEXaRnacABrQlFjZkNLv5r3BoqOzG2f0ZYljZ7BbVWyT/lPE3vLBSwAQPPrb
jR+lTJH6s/4nb5mgVK7Q9peABB6y9H7nUTE8d/sG6rY6n5H9GlBVpOKLjB9JqUAZ
MegYkMNI2szv259gbCFBbErgeWeF3oTXpZJKDSIcZ/7Z8tZV84obcLxy7MwDHXWl
KLoab7rlwSruCawKF8dHBgYYN818DHkAKZTXNx3oSvszdgrclSuS6jn7+3ixBuSK
fupQqazaI+8RXF7xhsV5
=5S07
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 03 Jun 2012 07:38:21 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 23:44:18 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.