Debian Bug report logs -
#513513
CVE-2009-0314: Untrusted search path vulnerability
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#513513; Package gedit.
(Thu, 29 Jan 2009 18:42:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Thu, 29 Jan 2009 18:42:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gedit
Severity: important
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gedit.
CVE-2009-0314[0]:
| Untrusted search path vulnerability in the Python module in gedit
| allows local users to execute arbitrary code via a Trojan horse Python
| file in the current working directory, related to a vulnerability in
| the PySys_SetArgv function (CVE-2008-5983).
There are more information in the redhat bugreport[1] including a
patch[2].
For stable, this issue could be fixed via stable-proposed-updates. It
seems that the vulnerable function is gedit_python_module_init_python().
For lenny, it could be fixed via migration from unstable.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0314
http://security-tracker.debian.net/tracker/CVE-2009-0314
[1] https://bugzilla.redhat.com/show_bug.cgi?id=481556
[2] https://bugzilla.redhat.com/attachment.cgi?id=330031
Severity set to `grave' from `important'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Tue, 03 Feb 2009 20:46:46 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#513513; Package gedit.
(Wed, 04 Feb 2009 17:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to <marcos.marado@sonae.com>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Wed, 04 Feb 2009 17:24:02 GMT) (full text, mbox, link).
Message #14 received at 513513@bugs.debian.org (full text, mbox, reply):
Just a heads up,
Upstream has a patch confirmed to fix this issue:
http://bugzilla.gnome.org/attachment.cgi?id=127294&action=view
Best regards,
--
Marcos Marado
Reply sent
to Josselin Mouette <joss@debian.org>:
You have taken responsibility.
(Wed, 04 Feb 2009 17:54:07 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(Wed, 04 Feb 2009 17:54:08 GMT) (full text, mbox, link).
Message #19 received at 513513-close@bugs.debian.org (full text, mbox, reply):
Source: gedit
Source-Version: 2.22.3-2
We believe that the bug you reported is fixed in the latest version of
gedit, which is due to be installed in the Debian FTP archive:
gedit-common_2.22.3-2_all.deb
to pool/main/g/gedit/gedit-common_2.22.3-2_all.deb
gedit-dev_2.22.3-2_all.deb
to pool/main/g/gedit/gedit-dev_2.22.3-2_all.deb
gedit_2.22.3-2.diff.gz
to pool/main/g/gedit/gedit_2.22.3-2.diff.gz
gedit_2.22.3-2.dsc
to pool/main/g/gedit/gedit_2.22.3-2.dsc
gedit_2.22.3-2_amd64.deb
to pool/main/g/gedit/gedit_2.22.3-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 513513@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Josselin Mouette <joss@debian.org> (supplier of updated gedit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 04 Feb 2009 16:34:44 +0100
Source: gedit
Binary: gedit gedit-common gedit-dev
Architecture: source all amd64
Version: 2.22.3-2
Distribution: unstable
Urgency: low
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Josselin Mouette <joss@debian.org>
Description:
gedit - official text editor of the GNOME desktop environment
gedit-common - official text editor of the GNOME desktop environment (support fi
gedit-dev - official text editor of the GNOME desktop environment (developmen
Closes: 513513
Changes:
gedit (2.22.3-2) unstable; urgency=low
.
[ Loic Minier ]
* Replace homepage pseudo-field in description with a real source field in
control.
* Add note that dh_pysupport call should be made package specific or moved
to a different target.
.
[ Josselin Mouette ]
* debian/patches/02_python_path.patch: new patch. Pass GEDIT_PLUGINDIR
to PySys_SetArgv as a big hackish workaround to CVE-2009-0314.
Closes: #513513.
Checksums-Sha1:
199dee7ba6ca849659fef666ebb93bcaa495dc45 1708 gedit_2.22.3-2.dsc
52231ef18e8d3e41b687f7d822fa69ce39081268 14662 gedit_2.22.3-2.diff.gz
9777ee5eb1b161c9c195ae080046c5872eb32651 4046440 gedit-common_2.22.3-2_all.deb
0d4181f9a4a7eda04e2338efec532fd9201ca414 140150 gedit-dev_2.22.3-2_all.deb
3f3cb38f86eca5cd618acd60a1a6cf8fd5b1cb03 845292 gedit_2.22.3-2_amd64.deb
Checksums-Sha256:
3edce216cb0114fb7b1eb8967a148a085ec6721a423b656842db35a47e6dcc5f 1708 gedit_2.22.3-2.dsc
25551f5fa3bdbe1a771b6e3f6e36c21ad9bd5b9378ddea75970afa5e7ddc66f6 14662 gedit_2.22.3-2.diff.gz
b35537400fa4a1810b1263de7c72a7ad77809949a82392209219eae9b5e32010 4046440 gedit-common_2.22.3-2_all.deb
a860349fab6f6e749f6ce68a84405861a042efe6557cba9a6a3140e24299ba2b 140150 gedit-dev_2.22.3-2_all.deb
374ef7eaece565a65b06096f812476ec2063752e4bbbd011eb1ff12258bf8e94 845292 gedit_2.22.3-2_amd64.deb
Files:
d5e888fe65ea25331df1f57e0085130e 1708 gnome optional gedit_2.22.3-2.dsc
4a1d7eeb8a9d5392fc95bc8aae1934d6 14662 gnome optional gedit_2.22.3-2.diff.gz
625dc2db57d1bd1e3739d151f115957a 4046440 gnome optional gedit-common_2.22.3-2_all.deb
941e1088cbcd7b2b946646dc9d38f246 140150 devel optional gedit-dev_2.22.3-2_all.deb
79d173ed45c88d8f041e6dbeca7bd691 845292 gnome optional gedit_2.22.3-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJibq1rSla4ddfhTMRAsZYAKDcfRnJq7ojxTp/6Z0kFZzlwG7Z+ACcCRet
Wxl/g6HdiQm05tVSr6us1yk=
=kjqI
-----END PGP SIGNATURE-----
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Sat, 07 Feb 2009 11:45:05 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(Sat, 07 Feb 2009 11:45:05 GMT) (full text, mbox, link).
Message #24 received at 513513-close@bugs.debian.org (full text, mbox, reply):
Source: gedit
Source-Version: 2.22.3-1+lenny1
We believe that the bug you reported is fixed in the latest version of
gedit, which is due to be installed in the Debian FTP archive:
gedit-common_2.22.3-1+lenny1_all.deb
to pool/main/g/gedit/gedit-common_2.22.3-1+lenny1_all.deb
gedit-dev_2.22.3-1+lenny1_all.deb
to pool/main/g/gedit/gedit-dev_2.22.3-1+lenny1_all.deb
gedit_2.22.3-1+lenny1.diff.gz
to pool/main/g/gedit/gedit_2.22.3-1+lenny1.diff.gz
gedit_2.22.3-1+lenny1.dsc
to pool/main/g/gedit/gedit_2.22.3-1+lenny1.dsc
gedit_2.22.3-1+lenny1_amd64.deb
to pool/main/g/gedit/gedit_2.22.3-1+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 513513@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated gedit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 06 Feb 2009 19:48:21 +0100
Source: gedit
Binary: gedit gedit-common gedit-dev
Architecture: source all amd64
Version: 2.22.3-1+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
gedit - official text editor of the GNOME desktop environment
gedit-common - official text editor of the GNOME desktop environment (support fi
gedit-dev - official text editor of the GNOME desktop environment (developmen
Closes: 513513
Changes:
gedit (2.22.3-1+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Pass GEDIT_PLUGINDIR instead of gedit to PySys_SetArgv
to workaround an insecure search path vulnerability
(02_CVE-2009-0314.patch; Closes: #513513).
* Note that this update changes the Uploader field, this is
not related to the security fix but to the build system used
by the gedit maintainers.
Checksums-Sha1:
31f5ae99d3443c80b2b08bea39075308cc86c581 1661 gedit_2.22.3-1+lenny1.dsc
b682cd932520e8447f24d9fcf3066e4cb21b3dda 5823279 gedit_2.22.3.orig.tar.gz
d4a37d7b04641405516a8dc74c445ac47d4a0c3d 13743 gedit_2.22.3-1+lenny1.diff.gz
527ba905f9f53ae58b186e78c578c2c7604615af 4046640 gedit-common_2.22.3-1+lenny1_all.deb
0663c94efb02372df392cd50a2d62179f5daeef6 139690 gedit-dev_2.22.3-1+lenny1_all.deb
8c59303a990d3c72cdeb78158cbf488c207bac3b 843868 gedit_2.22.3-1+lenny1_amd64.deb
Checksums-Sha256:
56359d99ac1e11cbfd76705ea57de53b822ef77778aa8d3e199623eb5cb0d850 1661 gedit_2.22.3-1+lenny1.dsc
b252d6edd345c5e03830df3f3e76d85e4c52e21dff6c6bc722a1e676cbbc723b 5823279 gedit_2.22.3.orig.tar.gz
7ab6a6d117020b21185ff7127c26ea5df08d78926fa30b2906ddb59e40f79ad3 13743 gedit_2.22.3-1+lenny1.diff.gz
677cf8dbd7f7cb254e8cae762819649aa63e7b360a231611b15923edfa72384e 4046640 gedit-common_2.22.3-1+lenny1_all.deb
6ece219db2a4ae3cbc1c60d50e8a09ec2eb26f93b6f36cbd6c603d665d5eb71c 139690 gedit-dev_2.22.3-1+lenny1_all.deb
0c2960134037ae6e142d79ae7fc3ad9b39994a197d50233e008bcb9cefdeae25 843868 gedit_2.22.3-1+lenny1_amd64.deb
Files:
4a47c094b4254818cf06e93c051817ae 1661 gnome optional gedit_2.22.3-1+lenny1.dsc
f71af4c6004171add085402d34e29826 5823279 gnome optional gedit_2.22.3.orig.tar.gz
a888ddcb0212151fc4467a398cb8ab17 13743 gnome optional gedit_2.22.3-1+lenny1.diff.gz
978abc60bc4932ef614c1ff3a2153243 4046640 gnome optional gedit-common_2.22.3-1+lenny1_all.deb
19f70df9b44ec5c5a267a11f9706fcca 139690 devel optional gedit-dev_2.22.3-1+lenny1_all.deb
df53fc963dd31e581401557b5574fe6b 843868 gnome optional gedit_2.22.3-1+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmMjoMACgkQHYflSXNkfP+uUACeKQBRBUb74/hjsGueKgGRSQQk
1LgAmwaIFuWY94k97Ho3Ek7lcDaCoRpW
=V0Uh
-----END PGP SIGNATURE-----
Reply sent
to Josselin Mouette <joss@debian.org>:
You have taken responsibility.
(Sun, 15 Mar 2009 17:12:20 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(Sun, 15 Mar 2009 17:12:20 GMT) (full text, mbox, link).
Message #29 received at 513513-close@bugs.debian.org (full text, mbox, reply):
Source: gedit
Source-Version: 2.24.3-1
We believe that the bug you reported is fixed in the latest version of
gedit, which is due to be installed in the Debian FTP archive:
gedit-common_2.24.3-1_all.deb
to pool/main/g/gedit/gedit-common_2.24.3-1_all.deb
gedit-dev_2.24.3-1_all.deb
to pool/main/g/gedit/gedit-dev_2.24.3-1_all.deb
gedit_2.24.3-1.diff.gz
to pool/main/g/gedit/gedit_2.24.3-1.diff.gz
gedit_2.24.3-1.dsc
to pool/main/g/gedit/gedit_2.24.3-1.dsc
gedit_2.24.3-1_amd64.deb
to pool/main/g/gedit/gedit_2.24.3-1_amd64.deb
gedit_2.24.3.orig.tar.gz
to pool/main/g/gedit/gedit_2.24.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 513513@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Josselin Mouette <joss@debian.org> (supplier of updated gedit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 15 Mar 2009 12:17:40 +0100
Source: gedit
Binary: gedit gedit-common gedit-dev
Architecture: source all amd64
Version: 2.24.3-1
Distribution: unstable
Urgency: low
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Josselin Mouette <joss@debian.org>
Description:
gedit - official text editor of the GNOME desktop environment
gedit-common - official text editor of the GNOME desktop environment (support fi
gedit-dev - official text editor of the GNOME desktop environment (developmen
Closes: 510572 513513
Changes:
gedit (2.24.3-1) unstable; urgency=low
.
* 02_externaltools_locale.patch: new patch. Use LC_MESSAGES to
determine the current language for the external tools.
Closes: #510572.
* New upstream release.
* 03_python_path.patch: new patch. Pass GEDIT_PLUGINDIR
to PySys_SetArgv as a big hackish workaround to CVE-2009-0314.
Closes: #513513.
Checksums-Sha1:
2499373bbb622a363caf0b916d3f92e9111a2a6c 1665 gedit_2.24.3-1.dsc
72a4053ce77ee097ec2c27304e8a9225fbd58cbd 6167208 gedit_2.24.3.orig.tar.gz
97cab1c6aec0dd849dafddb348716c9774fb0cd1 15098 gedit_2.24.3-1.diff.gz
412903c756860dd449f47cc70f974d1018a7e1c2 4074264 gedit-common_2.24.3-1_all.deb
f192029edf6e5ba4f5d12887646f6073f86d572e 146042 gedit-dev_2.24.3-1_all.deb
9d4b3cd901c6b4c75cdd482a153d1e6b8f86d6ed 881756 gedit_2.24.3-1_amd64.deb
Checksums-Sha256:
bd19970b987e0f4dfe62bc08de1a1edb0eac17b3cbc9121fc786ef36871be727 1665 gedit_2.24.3-1.dsc
539a999e1acfb3f5c9f6ed2d5e30ad5ce0701922253bbd06acfd1646cf6ea071 6167208 gedit_2.24.3.orig.tar.gz
5cd7e4ae9a9a5942c169608ca0ea47953884cb1a625a15efbaa0989e335f8cc7 15098 gedit_2.24.3-1.diff.gz
1792da477dee57facdeb6a0b6ba9ca83ced95f47edad7980518b6e5b5f6c67e0 4074264 gedit-common_2.24.3-1_all.deb
f2448d2bc01847142915d2355ee0d16afeea338bd4d708d7d643b1dbf6517033 146042 gedit-dev_2.24.3-1_all.deb
a3281ade27b6f7779dc7391db3b95b2eb4ab3f4a5d158f79984ac23fbaac3b34 881756 gedit_2.24.3-1_amd64.deb
Files:
0b7763d19d689d762ea5d603947d6eee 1665 gnome optional gedit_2.24.3-1.dsc
c3fa901039b604a02500777ba7edfec7 6167208 gnome optional gedit_2.24.3.orig.tar.gz
3bf01e82f7d165566c298d44e700545b 15098 gnome optional gedit_2.24.3-1.diff.gz
c681223a97136a58d45d643c825e5a0e 4074264 gnome optional gedit-common_2.24.3-1_all.deb
b54681a0a3482202bdf76241e77c79af 146042 devel optional gedit-dev_2.24.3-1_all.deb
ae1103ca2a2c0638aab5299a50b181d1 881756 gnome optional gedit_2.24.3-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJvPrqrSla4ddfhTMRAhBdAJ40AZDfXyJehPnpa64CKOGWS4IfeACgmURW
9qbT04y3gBZUoBwT28iw7NE=
=fqEU
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 31 May 2009 07:28:24 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:25:20 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon