Your message dated Sun, 09 Nov 2008 10:47:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#504359: fixed in csound 1:5.08.0.dfsg2-8+lenny2
has caused the Debian Bug report #504359,
regarding csound: Python scripts load modules from current directory
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
504359: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504359
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: csound
Version: 1:5.08.2~dfsg-1
Severity: grave
Tags: security patch
Justification: user security hole
Usertags: pythonpath
csound's python interface calls PySys_SetArgv with an argv[0] that
doesn't resolve to a filename. This causes Python to prepend sys.path
with an empty string which, due to the use of relative imports, allows
the possibility to run arbitrary code on the user's system if a file in
their working directory matches the name of a python module csound tries
to import.
This should be fixed by Python 2.6 as it uses absolute imports by
default, but I have not been able to test it and this still needs a fix
for packages built against/used with the currently supported versions of
Python.
--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <[EMAIL PROTECTED]>
--- a/frontends/CsoundAC/Shell.cpp
+++ b/frontends/CsoundAC/Shell.cpp
@@ -211,6 +211,8 @@ namespace csound
void Shell::main(int argc, char **argv)
{
PySys_SetArgv_(argc, argv);
+ /* Sanitize sys.path */
+ PyRun_SimpleString_("import sys; sys.path = filter(None, sys.path)");
}
void Shell::initialize()
--- a/frontends/CsoundVST/ScoreGeneratorVst.cpp
+++ b/frontends/CsoundVST/ScoreGeneratorVst.cpp
@@ -427,6 +427,8 @@
Shell::open();
char *argv[] = {"",""};
PySys_SetArgv(1, argv);
+ /* Sanitize sys.path */
+ PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
PyObject *mainModule = PyImport_ImportModule("__main__");
result = runScript("import sys\n");
if(result)
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: csound
Source-Version: 1:5.08.0.dfsg2-8+lenny2
We believe that the bug you reported is fixed in the latest version of
csound, which is due to be installed in the Debian FTP archive:
csladspa_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/csladspa_5.08.0.dfsg2-8+lenny2_amd64.deb
csound-gui_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/csound-gui_5.08.0.dfsg2-8+lenny2_amd64.deb
csound-utils_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/csound-utils_5.08.0.dfsg2-8+lenny2_amd64.deb
csound_5.08.0.dfsg2-8+lenny2.diff.gz
to pool/main/c/csound/csound_5.08.0.dfsg2-8+lenny2.diff.gz
csound_5.08.0.dfsg2-8+lenny2.dsc
to pool/main/c/csound/csound_5.08.0.dfsg2-8+lenny2.dsc
csound_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/csound_5.08.0.dfsg2-8+lenny2_amd64.deb
libcsnd-java_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/libcsnd-java_5.08.0.dfsg2-8+lenny2_amd64.deb
libcsnd5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/libcsnd5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
libcsound64-5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/libcsound64-5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
libcsound64-dev_5.08.0.dfsg2-8+lenny2_all.deb
to pool/main/c/csound/libcsound64-dev_5.08.0.dfsg2-8+lenny2_all.deb
libcsound64-doc_5.08.0.dfsg2-8+lenny2_all.deb
to pool/main/c/csound/libcsound64-doc_5.08.0.dfsg2-8+lenny2_all.deb
libcsoundac5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/libcsoundac5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
pd-csound_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/pd-csound_5.08.0.dfsg2-8+lenny2_amd64.deb
python-csound_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/python-csound_5.08.0.dfsg2-8+lenny2_amd64.deb
python-csoundac_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/python-csoundac_5.08.0.dfsg2-8+lenny2_amd64.deb
tclcsound_5.08.0.dfsg2-8+lenny2_amd64.deb
to pool/main/c/csound/tclcsound_5.08.0.dfsg2-8+lenny2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <[EMAIL PROTECTED]> (supplier of updated csound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 08 Nov 2008 19:25:53 +0100
Source: csound
Binary: csound csound-gui csound-utils libcsound64-5.1 libcsnd-java
libcsound64-dev pd-csound python-csound libcsnd5.1 tclcsound libcsoundac5.1
python-csoundac csladspa libcsound64-doc
Architecture: source all amd64
Version: 1:5.08.0.dfsg2-8+lenny2
Distribution: testing-proposed-updates
Urgency: low
Maintainer: Felipe Sateler <[EMAIL PROTECTED]>
Changed-By: Jonas Smedegaard <[EMAIL PROTECTED]>
Description:
csladspa - LADSPA plugin for Csound
csound - powerful and versatile sound synthesis software
csound-gui - GUI interfaces and opcodes for Csound
csound-utils - miscellaneous utilities for the Csound system
libcsnd-java - Java bindings for the Csound API
libcsnd5.1 - C++ bindings for the Csound API
libcsound64-5.1 - main library for Csound
libcsound64-dev - development files for Csound
libcsound64-doc - Csound API documentation
libcsoundac5.1 - the Csound Algorithmic Composition library
pd-csound - Csound external for PureData
python-csound - Python bindings for Csound
python-csoundac - Python bindings for CsoundAC
tclcsound - Tcl bindings and interpreters for Csound
Closes: 504359
Changes:
csound (1:5.08.0.dfsg2-8+lenny2) testing-proposed-updates; urgency=low
.
[ Jonas Smedegaard ]
* Fix unreliable documentation build:
+ Completely replace doxygen-generated Makefile with custom one
ignoring pdflatex errors initially and emits errors at additional
runs to stderr.
+ Build-depend on texlive-fonts-recommended
+ Build-depend on ghostscript
+ Build-depend on ttf-bitstream-vera and patch Doxyfile to use it
+ Patch Doxyfile to use default dot path
+ Patch refman_header.tex to include needed listings package.
* Explicitly add java-gjc include path, to not FTBFS when fallback
java build-dependency is used.
* Build using generic tcl path preferred over versioned one.
.
[ Felipe Sateler ]
* Sanitize Python path to avoid arbitrary code execution. Thanks James Vega.
Closes: #504359.
* Fix FTBFS in alpha due to typo.
Checksums-Sha1:
217963afd27b2ca2cc3d5f8d800c70f3f7c60e5f 2314 csound_5.08.0.dfsg2-8+lenny2.dsc
56066ca2d4d6c3e029442bf53540ccd299852360 32645
csound_5.08.0.dfsg2-8+lenny2.diff.gz
7bb4a34226dcab5e7bad572ac5932ed4b174ac21 162058
libcsound64-dev_5.08.0.dfsg2-8+lenny2_all.deb
c5b1d0a4ab844a6b768a234515b4f69d48968b27 17247690
libcsound64-doc_5.08.0.dfsg2-8+lenny2_all.deb
42984b12ec9ba912ffa3310e3037bbfef52bfe6c 225326
csound_5.08.0.dfsg2-8+lenny2_amd64.deb
6e4be3968b3f483170ab63bf86b96ee476525160 404312
csound-gui_5.08.0.dfsg2-8+lenny2_amd64.deb
2e4522e3b6a546e1ae646f16fcc5bcf7c64c5f12 160318
csound-utils_5.08.0.dfsg2-8+lenny2_amd64.deb
9919766189fbe32fa056573452a906455c2d0967 1091030
libcsound64-5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
846e3a8e3590117140844c2ee09884f0b26833df 311982
libcsnd-java_5.08.0.dfsg2-8+lenny2_amd64.deb
dc1121abd77d59f322e4ded9b5652414db70b0d3 125120
pd-csound_5.08.0.dfsg2-8+lenny2_amd64.deb
a435be35beed9db4bdb7cafb21fb61602b7cdd9e 368602
python-csound_5.08.0.dfsg2-8+lenny2_amd64.deb
1ef4e88d2a580a43113e3fd486ff81348e3d26fa 362914
libcsnd5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
513fc63a1c20a0043abe684458f8f1025a5ddf1d 146986
tclcsound_5.08.0.dfsg2-8+lenny2_amd64.deb
c74975e3b1b762c18ebef55b497e2b0c6205dc65 402650
libcsoundac5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
6627a20f2edd7c963ca869c3ab7fdd756bd38675 530056
python-csoundac_5.08.0.dfsg2-8+lenny2_amd64.deb
5e275731a426b99c57cd1801431f06267ba8b43a 139082
csladspa_5.08.0.dfsg2-8+lenny2_amd64.deb
Checksums-Sha256:
2b174b59a38530c7240e6abf3acaa23c46c810b6c20211930492f9419081c0cf 2314
csound_5.08.0.dfsg2-8+lenny2.dsc
913d3af37a42a7ac5add2340a12a5fe94b12809cd5387da12ecfc0085a7507f5 32645
csound_5.08.0.dfsg2-8+lenny2.diff.gz
33d6262e1e1d9049bb6351eda8854ad434b176c801b3e33e3bca691e49c63763 162058
libcsound64-dev_5.08.0.dfsg2-8+lenny2_all.deb
0d02771ae88cc5bdd14dad063f321aca80f879ab56c5cd684512ca0465427ab8 17247690
libcsound64-doc_5.08.0.dfsg2-8+lenny2_all.deb
efc926cdb5b0bc821e5dc4fe321b92efa8ec1c522cfeb126fc4bf24638c55f83 225326
csound_5.08.0.dfsg2-8+lenny2_amd64.deb
2e9e943b9d89cc4768f6d8cb412b533683e0cd5f402797be26a17008bb941d00 404312
csound-gui_5.08.0.dfsg2-8+lenny2_amd64.deb
f6a00792c464f01d05ceb997829e78e0b212ffb59a7ae1c5efca4bc05c078ce7 160318
csound-utils_5.08.0.dfsg2-8+lenny2_amd64.deb
1f1a7a9ca42fe94f2877fefa7b4802b659acb49df2ff6a00a03b934257977a7e 1091030
libcsound64-5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
5f371d687d25bf3967ec887f9e13f762069fa3d13fef2ef7cd860c5ee6ce644b 311982
libcsnd-java_5.08.0.dfsg2-8+lenny2_amd64.deb
300632616fef1d6a0bfb430a310605283ef9e8b0fa50dd6adb55840f151158ce 125120
pd-csound_5.08.0.dfsg2-8+lenny2_amd64.deb
d98ef3a19f028e18fabd285eca00bde09df54d698312ceb080564e33b00f6b53 368602
python-csound_5.08.0.dfsg2-8+lenny2_amd64.deb
6a0ae4aca5611e318e861127c1f132f414af4a930b59cde89ca866cad784cd10 362914
libcsnd5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
24de216e1ce8f9d09b5cda24f5c1fcc76fef0e322b0ac4430d10d651c9208f81 146986
tclcsound_5.08.0.dfsg2-8+lenny2_amd64.deb
0ec8b6a325a2b86c938e4eb8277a7e82c4a7eff171a5ef8f0db4d0d85c5dc018 402650
libcsoundac5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
aa03a0af3c7da3f35fbd9a035f7875c536fc6bf6dc2a1b5d8d56113da40a3e7e 530056
python-csoundac_5.08.0.dfsg2-8+lenny2_amd64.deb
e9872a16a0b68eff1fea36453d93eb220920436584264f6a4ad6050d8d8de3b8 139082
csladspa_5.08.0.dfsg2-8+lenny2_amd64.deb
Files:
46ee342502468a07694ee607ff50c2ec 2314 sound optional
csound_5.08.0.dfsg2-8+lenny2.dsc
b72c2db62bf1ff8054f538b020d10a6f 32645 sound optional
csound_5.08.0.dfsg2-8+lenny2.diff.gz
2f73399f1bf9fa0d7be588612984d436 162058 libdevel extra
libcsound64-dev_5.08.0.dfsg2-8+lenny2_all.deb
56185966e0a68380cad3964228db681b 17247690 doc extra
libcsound64-doc_5.08.0.dfsg2-8+lenny2_all.deb
6870340a4c4e6919bdc42cc66986130f 225326 sound optional
csound_5.08.0.dfsg2-8+lenny2_amd64.deb
d19b43674fc9fe7ffa86aaf4d32cc7fe 404312 sound optional
csound-gui_5.08.0.dfsg2-8+lenny2_amd64.deb
a2b93c4cf12a2594cda645ad3347c5ff 160318 sound optional
csound-utils_5.08.0.dfsg2-8+lenny2_amd64.deb
6048dd8876b19b3e09810b337c192b33 1091030 libs optional
libcsound64-5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
6a1c60956a40908dd1566cec90ecd51c 311982 sound optional
libcsnd-java_5.08.0.dfsg2-8+lenny2_amd64.deb
ee5632fb1942cb3f0434ea55ad534cbb 125120 sound optional
pd-csound_5.08.0.dfsg2-8+lenny2_amd64.deb
585e02c3f92007dea61afe7eeeee8e08 368602 python optional
python-csound_5.08.0.dfsg2-8+lenny2_amd64.deb
651e7cfe680e89baba59ee25959579d6 362914 sound optional
libcsnd5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
bd03e807f59f570cda993c2b62ee67d5 146986 sound optional
tclcsound_5.08.0.dfsg2-8+lenny2_amd64.deb
e35d6b52eeb87d5a20ff647ee52cc5c5 402650 sound optional
libcsoundac5.1_5.08.0.dfsg2-8+lenny2_amd64.deb
4b505638655ffdc27c6d4b11849240bd 530056 python optional
python-csoundac_5.08.0.dfsg2-8+lenny2_amd64.deb
c8ffca98dbd859971626d9811e5b853f 139082 sound optional
csladspa_5.08.0.dfsg2-8+lenny2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkWMDQACgkQn7DbMsAkQLh7qACfR0fE1EkGQKYWD2VnT48phTGg
7F4AoKa60p4sAAeU1O32cPh8/gZ/LGss
=HkHA
-----END PGP SIGNATURE-----
--- End Message ---
