Debian Bug report logs -
#777079
jython: CVE-2013-2027
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 4 Feb 2015 20:12:01 UTC
Severity: important
Tags: security, upstream
Found in version jython/2.5.2-1
Fixed in versions jython/2.7.0+repack-1, jython/2.7.1+repack-1
Done: Gilles Filippini <pini@debian.org>
Bug is archived. No further changes may be made.
Forwarded to http://bugs.jython.org/msg8004
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#777079; Package src:jython.
(Wed, 04 Feb 2015 20:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Wed, 04 Feb 2015 20:12:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jython
Version: 2.5.2-1
Severity: important
Tags: security upstream
Hi
Several issues were mentioned in Red Hat Bugzilla at [0] referencing
the issue which creates executables class files with wrong permissions
with CVE-2013-2027.
At least it seems present in the Debian package that the package
writes to /usr/share. In the SuSE bugzilla[1] there are some links to
fixes applied in SuSE[2].
Could you please double-check the jython package in Debian?
[0] https://bugzilla.redhat.com/show_bug.cgi?id=947949
[1] https://bugzilla.novell.com/show_bug.cgi?id=916224
[2] https://build.opensuse.org/request/show/284056
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#777079; Package src:jython.
(Wed, 18 Nov 2015 22:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@gambaru.de>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Wed, 18 Nov 2015 22:45:07 GMT) (full text, mbox, link).
Message #12 received at 777079@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, 04 Feb 2015 21:09:40 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: jython
> Version: 2.5.2-1
> Severity: important
> Tags: security upstream
>
> Hi
>
> Several issues were mentioned in Red Hat Bugzilla at [0] referencing
> the issue which creates executables class files with wrong permissions
> with CVE-2013-2027.
>
> At least it seems present in the Debian package that the package
> writes to /usr/share. In the SuSE bugzilla[1] there are some links to
> fixes applied in SuSE[2].
>
> Could you please double-check the jython package in Debian?
>
> [0] https://bugzilla.redhat.com/show_bug.cgi?id=947949
> [1] https://bugzilla.novell.com/show_bug.cgi?id=916224
> [2] https://build.opensuse.org/request/show/284056
>
I had a look at this vulnerability but I couldn't reproduce the attack
vector described at
https://bugzilla.redhat.com/show_bug.cgi?id=947949
The file is still read-only for everyone and group owners.
The patches at
https://build.opensuse.org/request/show/284056
https://bugzilla.redhat.com/show_bug.cgi?id=947949
cannot be applied as is because we use a newer Jython version.
According to upstream
http://bugs.jython.org/issue2044
this issue appears to be resolved in version 2.7 but they give no
details whether this is fixed in the 2.5 series.
I suggest to keep the bug open until 2.7 is packaged but I don't think
this is an issue for Debian. More feedback is welcome.
Markus
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Gilles Filippini <pini@debian.org>:
You have taken responsibility.
(Sun, 11 Dec 2016 18:06:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 11 Dec 2016 18:06:03 GMT) (full text, mbox, link).
Message #17 received at 777079-close@bugs.debian.org (full text, mbox, reply):
Source: jython
Source-Version: 2.7.0+repack-1
We believe that the bug you reported is fixed in the latest version of
jython, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 777079@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gilles Filippini <pini@debian.org> (supplier of updated jython package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 11 Dec 2016 17:59:27 +0100
Source: jython
Binary: jython jython-doc
Architecture: source
Version: 2.7.0+repack-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Gilles Filippini <pini@debian.org>
Description:
jython - Python seamlessly integrated with Java
jython-doc - Jython documentation including API docs
Closes: 777079 800856 827280
Changes:
jython (2.7.0+repack-1) experimental; urgency=medium
.
* New upstream release (closes: #827280, #800856, #777079)
* Fix debian/watch to repack without extlibs
* Update debian/copyright
* Drop patch 02-jnr_refactoring.patch
* New patch 02-no-class-in-root-package.patch to avoid bnd failure
when generating OSGi metadata
* Update patches:
- 01-build.patch
- 03-default-cachedir.patch
* Update dependencies
Checksums-Sha1:
01d969202be42a801f2243b4fa877cad7e32269c 2101 jython_2.7.0+repack-1.dsc
4ff5a84e1f336e5986708b0f01fa75c5e07d500f 13737430 jython_2.7.0+repack.orig.tar.gz
18bef4619108c5e423f54823dbbabd3f7bb0ceb6 18576 jython_2.7.0+repack-1.debian.tar.xz
Checksums-Sha256:
1ae4f7c339d64f77a660f9497507a3342bdf11c135a7155fe316d944b9ae6a2d 2101 jython_2.7.0+repack-1.dsc
98753a09449f8f28a86a58be4dfe0af82d6c5ce43f4c82345fa52a5d591709aa 13737430 jython_2.7.0+repack.orig.tar.gz
5d9c471d361396634186eca905b626b5cad7d4b2883bae236012a5841be46315 18576 jython_2.7.0+repack-1.debian.tar.xz
Files:
5c42aee78ee04dbe487fb48712423335 2101 python optional jython_2.7.0+repack-1.dsc
cf4b7fa6af93f0e8e864bed1d65ba513 13737430 python optional jython_2.7.0+repack.orig.tar.gz
b8e1fe562300f90eba574fec21e47611 18576 python optional jython_2.7.0+repack-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEtBAEBCAAXBQJYTZIKEBxwaW5pQGRlYmlhbi5vcmcACgkQ7+hsbH/+z4NE2gf+
Omrxz4pEabYHp1LchTHEa+si2VcuS/to9/jhdQU2vFS9Q8iSTMClfZZdxEIUAo7z
ex5cKngofNa735GOFjJttBqhdeP5guohTavdLJJQ3TSJteQaE/8IPAD/vuQPdpZa
sCKn+dv/AZVWQQlKxGQ4KRFp8S7/WKvcNiYjGrUN8QzXWQs5KwDwsBOmOyQrwC+V
Q6gl1LTTI2xXuAeltIcB2iKFyJDK3d2OU92QnoYc2wdnSF7l24jLfamEoco88xHJ
0OZpMPCNwj8zFj+Cxm3Zr/WV1KUzbTnFo4NinvGf7HcwbuaxDQvhYn7tG8xNhisY
f/NuXG+uktHpZ1z9clpLqA==
=oclJ
-----END PGP SIGNATURE-----
Reply sent
to Gilles Filippini <pini@debian.org>:
You have taken responsibility.
(Wed, 13 Sep 2017 21:27:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 13 Sep 2017 21:27:07 GMT) (full text, mbox, link).
Message #22 received at 777079-close@bugs.debian.org (full text, mbox, reply):
Source: jython
Source-Version: 2.7.1+repack-1
We believe that the bug you reported is fixed in the latest version of
jython, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 777079@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gilles Filippini <pini@debian.org> (supplier of updated jython package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 13 Sep 2017 21:56:24 +0200
Source: jython
Binary: jython jython-doc
Architecture: source
Version: 2.7.1+repack-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Gilles Filippini <pini@debian.org>
Description:
jython - Python seamlessly integrated with Java
jython-doc - Jython documentation including API docs
Closes: 777079 800856 827280
Changes:
jython (2.7.1+repack-1) experimental; urgency=medium
.
* New upstream release (closes: #827280, #800856, #777079)
* Fix debian/watch to repack without extlibs
* Update debian/copyright
* Drop patches:
- 02-jnr_refactoring.patch (fixed upstream)
- CVE-2016-4000.patch (fixed upstream)
* New patch 05-no-com.carrotsearch.sizeof.patch dropping the new
jython modified version of getsizeof because of missing package
java-sizeof in Debian
* Update patches:
- 01-build.patch
- 03-default-cachedir.patch
- 04-runtime-classpath.patch
* Fix dependencies and run-time classpath
Checksums-Sha1:
1cb5fff3f7e6a8775f172fc38a5d9da8a4e16552 2111 jython_2.7.1+repack-1.dsc
5f5d03e973b4fda5e042f0442098ef3b9e939f86 14181609 jython_2.7.1+repack.orig.tar.gz
25f7bb1ec4595dcfb027161a5a3be01ee228ec92 20184 jython_2.7.1+repack-1.debian.tar.xz
41c1e34213b59696518bed0481b30469e08807da 6716 jython_2.7.1+repack-1_source.buildinfo
Checksums-Sha256:
62891869d1e128fbac40a8b2fe5cd0a682b59a4ff93517655429913855eeb370 2111 jython_2.7.1+repack-1.dsc
4ce7da3fd855e2f2ae7304944956d813dd868c24fb8ba26066fb2eefbde7998e 14181609 jython_2.7.1+repack.orig.tar.gz
736538cf6651efcbfb151988b503b48e770cd8584098eaf7fc59050d9d61b736 20184 jython_2.7.1+repack-1.debian.tar.xz
2730f9c0cf073ec5bf8302809cf7929d245d7de02cd119317c643c2b1e3f0903 6716 jython_2.7.1+repack-1_source.buildinfo
Files:
9e38f796b5d35d7ace8e535ce4164cb8 2111 python optional jython_2.7.1+repack-1.dsc
8bceaba122a5bbb615739816f1ddca3e 14181609 python optional jython_2.7.1+repack.orig.tar.gz
189fd5031941e34d644ece69c7e58229 20184 python optional jython_2.7.1+repack-1.debian.tar.xz
39af41d25b29a4451c4c30fae9ce4b32 6716 python optional jython_2.7.1+repack-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFEBAEBCAAuFiEEoJObzArDE05WtIyR7+hsbH/+z4MFAlm5lQIQHHBpbmlAZGVi
aWFuLm9yZwAKCRDv6Gxsf/7Pg5NRB/9dw2RCOe2jmIRMDDvhP+CEbO35fnIO/a5g
l309NNTJG3TOX75a9xqxhmIQ503kISEQAEUhZRssn4JZPDs681VjSKROivTDoNgO
DxzT4pFix8tRJ6Js0XbDMBqwV+CLDfMr/29WsD6tL5WsFKkzhekueBvOkTev56rC
Od6raaQQEHM2gzmuG7OXvGQ5mnf0+4giBh4tXENXMUQKNJDoKbLcjPQLjK9ZufrN
LOWabuxlal3LnPdfT7yRvoj03HPtRhRHa3IovehU7KLPA15gUWqdNnbWcLmfJrRr
xSAxfPumqrxhDFHV5TCjFu6n76TxZ/CeLVCz2PI9ijF1P02WnzJb
=e8ts
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 12 Oct 2017 07:30:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:50:27 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon