Your message dated Tue, 21 Oct 2008 13:19:53 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#484305: Fix python or the apps?
has caused the Debian Bug report #484305,
regarding bicyclerepair: bike.vim imports untrusted python files from cwd
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
484305: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484305
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: bicyclerepair
Version: 0.9-4.1
Severity: critical
Tags: security
Justification: root security hole
# pwd
/tmp/roundup-1.3.3/roundup
# vim /tmp/whatever
Error detected while processing /usr/share/vim/addons/plugin/bike.vim:
line 110:
Traceback (most recent call last):
File "<string>", line 6, in ?
File "/usr/lib/python2.4/site-packages/bike/__init__.py", line 10, in ?
from bikefacade import init, NotAPythonModuleOrPackageException, CouldntLoca
teASTNodeFromCoordinatesException, UndoStackEmptyException
File "/usr/lib/python2.4/site-packages/bike/bikefacade.py", line 3, in ?
import compiler
File "__init__.py", line 24, in ?
File "compiler/transformer.py", line 1348, in ?
AttributeError: 'module' object has no attribute 'LESS'
Press ENTER or type command to continue
bicyclerepair contains /usr/share/vim/addons/plugin/bike.vim which is
automatically executed, at least in etch. I don't know about lenny/sid,
see #464817 (bicyclerepair: Conform with Vim addon policy)
It imports (i.e. runs) python code it finds in the current working
directory, in my example from the extracted roundup tarball.
I set Severity to "critical" instead of "grave", because the user who
reported the traceback to me on a multi-user system does not use
bicyclerepair, but just vim. Reportbug forced me to set "root security
hole", because everyone using vim is affected (including root) and
the Justification 5 "unknown / something else" would downgrade the
Severity to "normal". The description for "grave" said, that it only
applies if the security problem affects people actually using the package.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24.3-id1-k8-2
Locale: LANG=en_US, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages bicyclerepair depends on:
ii python 2.4.4-2 An interactive high-level object-o
ii python-central 0.5.12 register and build utility for Pyt
bicyclerepair recommends no packages.
-- no debconf information
--
[EMAIL PROTECTED] - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Osnabrueck - Register: Amtsgericht Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
--- End Message ---
--- Begin Message ---
On Tue, Oct 07, 2008 at 04:00:49PM +0100, [EMAIL PROTECTED] wrote:
> It seems to me that there are two choices here:
> 1) this is considered a python issue, that should be solved in python;
This problem should be solved in 2.6 since absolute imports are the
default.
> 2) this is considered an issue in the python apps that act like this (and
> as it was said, there's probably a handfull of them), and those should be
> solved in each of those apps.
I'm currently looking through the various source packages which provide
a binary that uses PySys_SetArgv and investigating whether they're
affected by this problem. If so, I'll be filing bug reports (with
patches).
> Shouldn't we ask it to the Python Apps Packaging Team [1]?
This isn't specifically related to PAPT as most of the affected
applications aren't actually Python applications, but applications
embedding Python.
As far as bicyclerepair is concerned, this bug can be closed (and I'm
doing so with this message) now that the Vim packages remove the empty
directory from sys.path.
--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <[EMAIL PROTECTED]>
signature.asc
Description: Digital signature
--- End Message ---
