Bug#504251: marked as done (dia: Python scripts load modules from current directory)

Sat, 15 Nov 2008 14:31:18 -0800 

Your message dated Sat, 15 Nov 2008 22:02:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#504251: fixed in dia 0.96.1-7.1
has caused the Debian Bug report #504251,
regarding dia: Python scripts load modules from current directory
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
504251: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504251
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: dia
Version: 0.96.1-7
Severity: grave
Tags: security patch
Justification: user security hole
Usertags: pythonpath

dia's python interface calls PySys_SetArgv such that Python prepends
sys.path with an empty string.  This allows the possibility to run
arbitrary code on the user's system if there is a python file in dia's
working directory named the same as one that dia's python scripts try to
import.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages dia depends on:
pn  dia-common             <none>            (no description available)
pn  dia-libs               <none>            (no description available)
ii  libart-2.0-2           2.3.20-2          Library of functions for 2D graphi
ii  libatk1.0-0            1.22.0-1          The ATK accessibility toolkit
ii  libc6                  2.7-15            GNU C Library: Shared libraries
ii  libcairo2              1.6.4-6.1         The Cairo 2D vector graphics libra
ii  libfontconfig1         2.6.0-1           generic font configuration library
ii  libfreetype6           2.3.7-2           FreeType 2 font engine, shared lib
ii  libglib2.0-0           2.16.6-1          The GLib library of C routines
ii  libgtk2.0-0            2.12.11-4         The GTK+ graphical user interface 
ii  libpango1.0-0          1.20.5-3          Layout and rendering of internatio
ii  libpng12-0             1.2.27-2          PNG library - runtime
ii  libpopt0               1.14-4            lib for parsing cmdline parameters
ii  libxml2                2.6.32.dfsg-4     GNOME XML library
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages dia recommends:
ii  gsfonts-x11                   0.21       Make Ghostscript fonts available t

dia suggests no packages.

--- dia-0.96.1.orig/plug-ins/python/python.c
+++ dia-0.96.1/plug-ins/python/python.c
@@ -102,6 +102,8 @@
     Py_Initialize();
 
     PySys_SetArgv(1, python_argv);
+    /* Sanitize sys.path */
+    PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
 
     if (on_error_report())
 	return DIA_PLUGIN_INIT_ERROR;

--- End Message ---
--- Begin Message --- 
Source: dia
Source-Version: 0.96.1-7.1

We believe that the bug you reported is fixed in the latest version of
dia, which is due to be installed in the Debian FTP archive:

dia-common_0.96.1-7.1_all.deb
  to pool/main/d/dia/dia-common_0.96.1-7.1_all.deb
dia-gnome_0.96.1-7.1_i386.deb
  to pool/main/d/dia/dia-gnome_0.96.1-7.1_i386.deb
dia-libs_0.96.1-7.1_i386.deb
  to pool/main/d/dia/dia-libs_0.96.1-7.1_i386.deb
dia_0.96.1-7.1.diff.gz
  to pool/main/d/dia/dia_0.96.1-7.1.diff.gz
dia_0.96.1-7.1.dsc
  to pool/main/d/dia/dia_0.96.1-7.1.dsc
dia_0.96.1-7.1_i386.deb
  to pool/main/d/dia/dia_0.96.1-7.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl <[EMAIL PROTECTED]> (supplier of updated dia package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 15 Nov 2008 22:11:35 +0100
Source: dia
Binary: dia-common dia-libs dia dia-gnome
Architecture: source all i386
Version: 0.96.1-7.1
Distribution: unstable
Urgency: low
Maintainer: Debian Dia Team <[EMAIL PROTECTED]>
Changed-By: Alexander Reichle-Schmehl <[EMAIL PROTECTED]>
Description: 
 dia        - Diagram editor
 dia-common - Diagram editor (common files)
 dia-gnome  - Diagram editor (GNOME version)
 dia-libs   - Diagram editor (library files)
Closes: 504251
Changes: 
 dia (0.96.1-7.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Applying patch by James Vega to solve module import problem
     (Closes: #504251)
Checksums-Sha1: 
 da0f1e840303dcad56d4cd41288b20f0312fc34c 1352 dia_0.96.1-7.1.dsc
 6c99804836823bd201854dc972413f9459ef81f9 99219 dia_0.96.1-7.1.diff.gz
 1752075d60595e89900b0ebb097c1857e2827bdd 4114168 dia-common_0.96.1-7.1_all.deb
 81efe5af2301d94b662a45a006c4e39c7d0c9a47 716604 dia-libs_0.96.1-7.1_i386.deb
 1930ba01527f83b3b724b1beb90a66db25706457 192482 dia_0.96.1-7.1_i386.deb
 c32255e3d8858d70c2560b41fe0058bd942ee1a3 193430 dia-gnome_0.96.1-7.1_i386.deb
Checksums-Sha256: 
 ed4350897f8bf083b552ab717f0dce3b75dad2e5d1862886be6995870f6f363e 1352 
dia_0.96.1-7.1.dsc
 2f8fb2cceb9e6692fa0f363b6a844c3605a65a6b195b0478bd7ad8313cceb977 99219 
dia_0.96.1-7.1.diff.gz
 39552adf5fad8f8e4dd56f67b189c604e1327ec7225e4ab972bdaed8f31101b7 4114168 
dia-common_0.96.1-7.1_all.deb
 66b586b73e851f503e8b31691e3e98689979ff06a1c4fbc1b9f07e2f379842d5 716604 
dia-libs_0.96.1-7.1_i386.deb
 0ccf34b133259564112b12eabd246022a06b4b705c1a2570df44b75553757aa2 192482 
dia_0.96.1-7.1_i386.deb
 14820d3a2631be8bd55794cc3224b542be07c095c18773349ea310b158cf2a8d 193430 
dia-gnome_0.96.1-7.1_i386.deb
Files: 
 c026ecc8e048b62c65b79a74e603beab 1352 graphics optional dia_0.96.1-7.1.dsc
 3beb636e7057fb512d54bfd86d199204 99219 graphics optional dia_0.96.1-7.1.diff.gz
 364734a637cbe18dfad7fa35cea0ba46 4114168 graphics optional 
dia-common_0.96.1-7.1_all.deb
 90561d15ec6d2b82d7377effa10e3110 716604 graphics optional 
dia-libs_0.96.1-7.1_i386.deb
 a75dce54d3c271c4868503a764ac285e 192482 graphics optional 
dia_0.96.1-7.1_i386.deb
 f375a8acb43e98af2609ac1f93bedfa6 193430 gnome optional 
dia-gnome_0.96.1-7.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkfQXAACgkQBxd04ADYzRbtDwCeIPjAc6rStoniQ6IYDkb6xkb2
yuwAoJk+k13ZrXAlpjDJ+vtery08rPUs
=Mu3+
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to