nautilus-python: CVE-2009-0317 untrusted search path vulnerability

Debian Bug report logs - #513419
nautilus-python: CVE-2009-0317 untrusted search path vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: nautilus-python: CVE-2009-0317 untrusted search path vulnerability

Date: Wed, 28 Jan 2009 23:12:16 +0100

[Message part 1 (text/plain, inline)]

Package: nautilus-python
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for nautilus-python.

CVE-2009-0317[0]:
| Untrusted search path vulnerability in the Python language bindings
| for Nautilus (nautilus-python) allows local users to execute arbitrary
| code via a Trojan horse Python file in the current working directory,
| related to a vulnerability in the PySys_SetArgv function
| (CVE-2008-5983).

To fix this you need to patch src/nautilus-python.c in the 
same way as 
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=CVE-2009-0318.patch;att=1;bug=513418
should be sufficient.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0317
    http://security-tracker.debian.net/tracker/CVE-2009-0317

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 513419@bugs.debian.org (full text, mbox, reply):

From: Evgeni Golov <sargentd@die-welt.net>

To: Nico Golde <nion@debian.org>, 513419@bugs.debian.org

Cc: kibi@debian.org

Subject: Re: Bug#513419: nautilus-python: CVE-2009-0317 untrusted search path vulnerability

Date: Thu, 29 Jan 2009 10:18:41 +0100

[Message part 1 (text/plain, inline)]

Hey *,

On Wed, 28 Jan 2009 23:12:16 +0100 Nico Golde wrote:

> CVE-2009-0317[0]:
> | Untrusted search path vulnerability in the Python language bindings
> | for Nautilus (nautilus-python) allows local users to execute arbitrary
> | code via a Trojan horse Python file in the current working directory,
> | related to a vulnerability in the PySys_SetArgv function
> | (CVE-2008-5983).
> 
> To fix this you need to patch src/nautilus-python.c in the 
> same way as 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=CVE-2009-0318.patch;att=1;bug=513418
> should be sufficient.

Attached is a patch against current version of nautilus-python in
testing/unstable that fixes the issue.
I also attach a patch against 0.5.0 in experimental, but this one is
untested.

Regards
Evgeni

-- 
Bruce Schneier Fact Number 37:
Bruce Schneier's public and private keys are known as "Law" and "Order."

[nautilus-python_CVE-2009-0317_0.5.0.patch (text/x-diff, attachment)]

[nautilus-python_CVE-2009-0317_513419.diff (text/x-diff, attachment)]

[Message part 4 (application/pgp-signature, inline)]

Message #15 received at 513419@bugs.debian.org (full text, mbox, reply):

From: Cyril Brulebois <kibi@debian.org>

To: Nico Golde <nion@debian.org>, 513419@bugs.debian.org

Cc: Evgeni Golov <sargentd@die-welt.net>

Subject: Re: Bug#513419: nautilus-python: CVE-2009-0317 untrusted search path vulnerability

Date: Mon, 2 Feb 2009 04:28:17 +0100

[Message part 1 (text/plain, inline)]

Nico Golde <nion@debian.org> (28/01/2009):
> Package: nautilus-python
> Severity: grave
> Tags: security patch

I've just sponsored the package Evgeni has prepared without having it
through the usual “Intent to NMU” way for the following reasons:
 - security RC bugs & patch available;
 - no NACK for the proposed patch during the past days;
 - previous NMU was ACKed in advance, so I guess it won't be a big deal;
 - tight release schedule.

Please find attached the final source debdiff.

Mraw,
KiBi.

[nautilus-python_source.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 513419-close@bugs.debian.org (full text, mbox, reply):

From: Evgeni Golov <sargentd@die-welt.net>

To: 513419-close@bugs.debian.org

Subject: Bug#513419: fixed in nautilus-python 0.4.3-3.2

Date: Mon, 02 Feb 2009 03:32:13 +0000

Source: nautilus-python
Source-Version: 0.4.3-3.2

We believe that the bug you reported is fixed in the latest version of
nautilus-python, which is due to be installed in the Debian FTP archive:

nautilus-python_0.4.3-3.2.diff.gz
  to pool/main/n/nautilus-python/nautilus-python_0.4.3-3.2.diff.gz
nautilus-python_0.4.3-3.2.dsc
  to pool/main/n/nautilus-python/nautilus-python_0.4.3-3.2.dsc
python-nautilus_0.4.3-3.2_amd64.deb
  to pool/main/n/nautilus-python/python-nautilus_0.4.3-3.2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 513419@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Evgeni Golov <sargentd@die-welt.net> (supplier of updated nautilus-python package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 01 Feb 2009 23:34:17 +0100
Source: nautilus-python
Binary: python-nautilus
Architecture: source amd64
Version: 0.4.3-3.2
Distribution: unstable
Urgency: high
Maintainer: Ross Burton <ross@debian.org>
Changed-By: Evgeni Golov <sargentd@die-welt.net>
Description: 
 python-nautilus - Python binding for Nautilus components
Closes: 513419
Changes: 
 nautilus-python (0.4.3-3.2) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2009-0317: untrusted search path vulnerability.
     + Added patch: 50_CVE-2009-0317.patch
     + Closes: #513419
   * Urgency high for fixing a security RC bug.
Checksums-Sha1: 
 03ed7734387b2b1377d7b6d390a034c7df665a36 1335 nautilus-python_0.4.3-3.2.dsc
 eb1ba6661bed3dc715ed8eb9424365c0854e93a6 4073 nautilus-python_0.4.3-3.2.diff.gz
 48eb682e5930f294cd03c2d680b3edc28beca67b 24624 python-nautilus_0.4.3-3.2_amd64.deb
Checksums-Sha256: 
 9a2b4c68ee57f5c1ce3d7016833ab8cde9eaed7e06ce587320dd42b8f8b94288 1335 nautilus-python_0.4.3-3.2.dsc
 546e99be158266216d8f3031eb08ab81e7ea0762f79d058af010b3311445319a 4073 nautilus-python_0.4.3-3.2.diff.gz
 12137bf6e430cf5939067118d8cdb0cff254c069c1b7904578fb8e59f50beb76 24624 python-nautilus_0.4.3-3.2_amd64.deb
Files: 
 0fc37e1474dee82c0d02ce4355fb1e7f 1335 gnome optional nautilus-python_0.4.3-3.2.dsc
 0559821c1fd291a70fcabe2f1e9c2404 4073 gnome optional nautilus-python_0.4.3-3.2.diff.gz
 34ac73beba855ff1721127b7b00f6a27 24624 gnome optional python-nautilus_0.4.3-3.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmGZ5IACgkQeGfVPHR5Nd3o9ACfbIgY+al+EcQndxRccRH5hNyG
VwgAn1IfUKceY7UmKEbQVKjvzTfDGvJz
=rmTu
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.