[CVE-2015-1326] python-dbusmock: arbitrary code execution or file overwrite when templates are loaded from /tmp

Debian Bug report logs - #786858
[CVE-2015-1326] python-dbusmock: arbitrary code execution or file overwrite when templates are loaded from /tmp

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Debian BTS Submit <submit@bugs.debian.org>

Subject: [CVE-2015-1326] python-dbusmock: arbitrary code execution or file overwrite when templates are loaded from /tmp

Date: Tue, 26 May 2015 09:19:02 +0200

[Message part 1 (text/plain, inline)]

Package: python3-dbusmock
Version: 0.11.4-1
Tags: patch

Forwarding mail to security team as a bug, as Salvatore Bonaccorso
prefers handling this via a stable update.


Simon McVittie found a potentially exploitable bug with loading custom
dbusmock templates: When a user is tricked into loading a template
from a world-writable directory like /tmp, an attacker could run
arbitrary code with the user's privileges by putting a crafted .pyc
file into that directory.

Note that this is highly unlikely to actually appear in practice
as custom dbusmock templates are usually shipped in project
directories, not directly in world-writable directories. Hence we
decided to immediately make this bug public and don't aim for a
coordinated release date.

Original bug report with the details: https://launchpad.net/bugs/1453815

CVE-2015-1326
Upstream fix: https://github.com/martinpitt/python-dbusmock/commit/4e7d0df9093
              (included in 0.15.1 upstream release)
unstable: fixed in 0.15.1-1 which I just uploaded
oldstable: not affected, python-dbusmock has only existed since jessie

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 786858-done@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: 786858-done@bugs.debian.org

Subject: Re: Bug#786858: Acknowledgement ([CVE-2015-1326] python-dbusmock: arbitrary code execution or file overwrite when templates are loaded from /tmp)

Date: Tue, 26 May 2015 09:28:09 +0200

Version: 0.15.1-1

This was fixed in unstable/testing in

 python-dbusmock (0.15.1-1) unstable; urgency=medium
 .
   * New upstream release.
     - SECURITY FIX: When loading a template from an arbitrary file through the
       AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template()
       Python method, don't create or use Python's *.pyc cached files. By
       tricking a user into loading a template from a world-writable directory
       like /tmp, an attacker could run arbitrary code with the user's
       privileges by putting a crafted .pyc file into that directory.
 .
       Note that this is highly unlikely to actually appear in practice as custom
       dbusmock templates are usually shipped in project directories, not
       directly in world-writable directories.
       (LP: #1453815, CVE-2015-1326)

The stable upload will also add this Debian bug reference.

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

Message #15 received at 786858-close@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: 786858-close@bugs.debian.org

Subject: Bug#786858: fixed in python-dbusmock 0.11.4-1+deb8u1

Date: Tue, 26 May 2015 12:47:06 +0000

Source: python-dbusmock
Source-Version: 0.11.4-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
python-dbusmock, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 786858@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Pitt <mpitt@debian.org> (supplier of updated python-dbusmock package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 26 May 2015 09:26:11 +0200
Source: python-dbusmock
Binary: python-dbusmock python3-dbusmock
Architecture: source all
Version: 0.11.4-1+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Martin Pitt <mpitt@debian.org>
Description:
 python-dbusmock - mock D-Bus objects for tests (Python 2)
 python3-dbusmock - mock D-Bus objects for tests (Python 3)
Closes: 786858
Changes:
 python-dbusmock (0.11.4-1+deb8u1) stable; urgency=medium
 .
   * SECURITY FIX: When loading a template from an arbitrary file through the
     AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template()
     Python method, don't create or use Python's *.pyc cached files. By
     tricking a user into loading a template from a world-writable directory
     like /tmp, an attacker could run arbitrary code with the user's
     privileges by putting a crafted .pyc file into that directory.
 .
     Note that this is highly unlikely to actually appear in practice as custom
     dbusmock templates are usually shipped in project directories, not
     directly in world-writable directories.
     (Closes: #786858, LP: #1453815, CVE-2015-1326)
   * Add debian/gbp.conf for "jessie" packaging branch.
Checksums-Sha1:
 7de862771bec9c5e23d53869f2ee5a216dffc9bb 2337 python-dbusmock_0.11.4-1+deb8u1.dsc
 f615f92079732115e93e036e92ccfaf8fd85c255 4848 python-dbusmock_0.11.4-1+deb8u1.debian.tar.xz
 2000b9b4b729406c58bf61589312975c12c5d9bd 50640 python-dbusmock_0.11.4-1+deb8u1_all.deb
 4d269541a8a63a1c2c8c873d1f33a552554bd851 50724 python3-dbusmock_0.11.4-1+deb8u1_all.deb
Checksums-Sha256:
 69dbdcbbe777136a208416ce0e80525e7d85a3393d1db4c2ab1ad2a6354c9825 2337 python-dbusmock_0.11.4-1+deb8u1.dsc
 15501a7e6431ec845c7e6228d15fd02f1d099cb099b4d9f1f5ad9259e82395d3 4848 python-dbusmock_0.11.4-1+deb8u1.debian.tar.xz
 f749e66164fb8e3b35807ff0e2f310c3cb7652c0e102c9690e20f4f114088cd4 50640 python-dbusmock_0.11.4-1+deb8u1_all.deb
 5f9324cde0215cf7ffb1378f2fa0e7b0191aee84b0bd718e0416adf7e369168d 50724 python3-dbusmock_0.11.4-1+deb8u1_all.deb
Files:
 c8575beed820af756f41ffdc489c8e1c 2337 python optional python-dbusmock_0.11.4-1+deb8u1.dsc
 b06c616b80a7706f7edb0c669e8bdf0c 4848 python optional python-dbusmock_0.11.4-1+deb8u1.debian.tar.xz
 0f485ffd45d2b8ca993036c62cd861a2 50640 python optional python-dbusmock_0.11.4-1+deb8u1_all.deb
 1afd23add0adeee0b389667fa0ee221e 50724 python optional python3-dbusmock_0.11.4-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVZCDEAAoJENFO8V2v4RNHRCYP/3W5Wh4gnaephXQ7gZxvhDU4
BLzgU7m5IX39qxwLetlenimUmjO1hdCSBjh6ggg4xb4QT8sAcK5xsPMssMRmZOXC
dbnz64gFoz89Z8p89Z3twqSQhuO890K3UXWYfLCrOsoHYCzcR2HXsP2MRylDrSv0
UTPq0SvulCWKC3oXE+PP790eGEWKpELCKEWMBpbDvfrrUOVtA9idhBO01C9Cyu6k
wJlVx5CGEGC093hsOktguNHqa3dChye3pBRnVg0mEEdIGQmAtr1/+QVc7iNH02B0
x0jE67XTo+/EKYnblXsMVOpj+tsjeTR8j2FOY1cO7YEEKcCVhnd+IrOIaAP8ZJK/
J1rE3xBLSJnFfxtMhICA0AlNRlwAXeyvS1PWWDbaVoGXNGW/TPWIANOHSITE2LM6
hZtHFmCm9RhQJxC6hF6AYBoyS9Vd4n7OVKXAE40lPy/CrSbhYbm17XSq+KpUlYIa
HKrmCgmK3cDDLKnqtejwPS4hPdHrmba/9m4KQ4iJpCtb4InWH8pHLHXlS0wnjT9R
RD1hM9xqT/Wv4BOKPTpjmw4ggQ5RmVIRRELWjjm+vnkT90lVY/vvNPOO5IHQBj1o
31fimoCu0wFil6MHDrjKTxRqR4Q2abreH3ECbtwFhvn3JAhXiAINYXrceQ3/KRvR
Nywpg1p09e1T1X7217jK
=/vh6
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.