I don't have anything available to test this on right now, but I
strongly suspect that this will not affect the version of Sage
currently in Debian. The version currently in Debian is 1.3.7, plus
my somewhat draconian patch to fix the previously reported
vulnerabilities. See the bug report for the last round of
vulnerabilities for the patch I hacked up [0].
Reasoning:
From the looks of the feed mentioned in the report [1] the exploit
can only work if HTML mode is on. If HTML mode is disabled the
contents of the feed will be converted into HTML entities as required
before viewing, which will prevent the exploit from working. My patch
disabled HTML mode entirely (as well as fixing a bug with the non-
HTML mode), therefore I can't see this exploit working on the version
in Debian currently.
As for where to go from here with Debian I'm not quite sure. I had
planned to do a fairly comprehensive review of 1.3.8 before uploading
it and re-enabling HTML mode. (I still really don't like the way
feeds end up treated as local). Presumably though if I'm correct and
this bug doesn't actually affect the version in Debian it shouldn't
be an RC bug? In light of these problems though I'm somewhat uneasy
with the idea of this releasing when Etch releases though. The way to
do that though I assume would be to get it removed from testing
manually, and keep this bug report open to stop it going back into
testing? Any thoughts?
Alan
[0] - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=388149
[1] - http://michaeldaw.org/projects/sage-exploit-feed.xml
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
