lookatme: CVE-2020-15271

Debian Bug report logs - #972988
lookatme: CVE-2020-15271

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: lookatme: CVE-2020-15271

Date: Mon, 26 Oct 2020 22:11:12 +0100

Source: lookatme
Version: 1.2.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for lookatme.

CVE-2020-15271[0]:
| In lookatme (python/pypi package) versions prior to 2.3.0, the package
| automatically loaded the built-in "terminal" and "file_loader"
| extensions. Users that use lookatme to render untrusted markdown may
| have malicious shell commands automatically run on their system. This
| is fixed in version 2.3.0. As a workaround, the
| `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py`
| files may be manually deleted. Additionally, it is always recommended
| to be aware of what is being rendered with lookatme.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-15271
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15271
[1] https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q
[2] https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84
[3] https://github.com/d0c-s4vage/lookatme/pull/110

Regards,
Salvatore

Message #12 received at 972988-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 972988-close@bugs.debian.org

Subject: Bug#972988: fixed in lookatme 2.3.0-1

Date: Fri, 30 Oct 2020 17:18:56 +0000

Source: lookatme
Source-Version: 2.3.0-1
Done: Reiner Herrmann <reiner@reiner-h.de>

We believe that the bug you reported is fixed in the latest version of
lookatme, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 972988@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reiner Herrmann <reiner@reiner-h.de> (supplier of updated lookatme package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 23 Oct 2020 17:25:58 +0200
Source: lookatme
Architecture: source
Version: 2.3.0-1
Distribution: unstable
Urgency: medium
Maintainer: Reiner Herrmann <reiner@reiner-h.de>
Changed-By: Reiner Herrmann <reiner@reiner-h.de>
Closes: 972988
Changes:
 lookatme (2.3.0-1) unstable; urgency=medium
 .
   * New upstream release.
     - no longer automatically load "terminal" and "file_loader" extensions,
       which would run commands inside the documents (CVE-2020-15271).
       (Closes: #972988)
   * Drop patch applied in new upstream version.
   * Document copyright of nasa_orion.jpg.
Checksums-Sha1:
 b007c67048e68be4486400b24852c946ec6ae37b 2090 lookatme_2.3.0-1.dsc
 c4ceaad3472f19f9727b36efdd2cbbfc73a0274d 2530262 lookatme_2.3.0.orig.tar.gz
 c0b72caf5edeb7f8a696df48332ac2dd7678a41c 4488 lookatme_2.3.0-1.debian.tar.xz
 0d79fbc56ba19b5a176b6850ddcb8170079d1f1e 8060 lookatme_2.3.0-1_source.buildinfo
Checksums-Sha256:
 cf28633ddd23d86549cd022ab1e3f4fb74994e5b0a233df1d71de1fc94e36fee 2090 lookatme_2.3.0-1.dsc
 34250c54e462a18bc04818f1714f005433c7b3d9ddee969c1583e2170b112ea4 2530262 lookatme_2.3.0.orig.tar.gz
 faa4557e73320342f0ccf235c1132df74efbd0f8f2b37723597aa8ff29ffd0fe 4488 lookatme_2.3.0-1.debian.tar.xz
 30da1ef6b1bffe7c3adf09dbc2a2a43d5634b0645f3eda95bbf92df1ce62bab9 8060 lookatme_2.3.0-1_source.buildinfo
Files:
 3d7e00a21486e456735b9185c5987235 2090 text optional lookatme_2.3.0-1.dsc
 b0b87698c224225f54896d3a63de910e 2530262 text optional lookatme_2.3.0.orig.tar.gz
 db3b811eedad112ccb840b126c851cc0 4488 text optional lookatme_2.3.0-1.debian.tar.xz
 98dd0cbf4e68a509b20268eaed333582 8060 text optional lookatme_2.3.0-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE2Pb6feok2Q1urHM7zPBJKNsO6qcFAl+cRkUACgkQzPBJKNsO
6qe6PhAAty5P6A0qLK+OhWD3MsISiZkgFAKHZpsIONlfOdDslw4fo5wpEH4hfLTx
yacAbRkdjXdZYmAZs6ps/+Pblbos6UYih642U+MEpzJxSC2fxKvhew8wwJ8v4iLK
km14szwzSZOC4VNucUfOfRdTcfPJ9P9j9ufWk2vNTyxzfA3QJtvwGenrBkEqA9F1
uoFxMQGSq86Do5UQt0OKQtBNJNLPEEeGOxL/+quFXiOkuMJtAFSc/gekQGw47IvF
kYiLJL+87S1Tffohfuo5ENFAo59xoXnU4JFBWKqz/bn/pOR3H3wk4fYRJPaoEmnN
rSswrHBzEffDW6cleELriDss8XBNsmNFXx9Mt7E94JlFwjuq0J9e8Bfvp3YTZOr5
uqxtbzbkWejIylqUhXyJSOcyqTUY5ORIwDwxQwPTKoZ4yMTu8NimXaXcqtKB90hD
un+/ZloXo975g1GID00dvbg7A5D/RyxWcxFSOo/7BIK44vRWothrXJL2IvYLpSck
r94Ao8zjzxIqqFJHnfGraPGqtFEF3gqKtFwCptQF8PRZ+PdjZmsifEBbGOQhjxZk
A2Hf3jMX8h6r1f2UN3bZpbYcXktgHNBPJwrTcYvbM46bXMJStaRnx6XbU1btykri
Ki+gzFOexiyzBrKMhGnmr5SVu51y5uoaT0n94jb422n3a33iQQg=
=LWtz
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.