Nico Golde <n...@debian.org> (28/01/2009): > Package: nautilus-python > Severity: grave > Tags: security patch
I've just sponsored the package Evgeni has prepared without having it through the usual “Intent to NMU” way for the following reasons: - security RC bugs & patch available; - no NACK for the proposed patch during the past days; - previous NMU was ACKed in advance, so I guess it won't be a big deal; - tight release schedule. Please find attached the final source debdiff. Mraw, KiBi.
diff -u nautilus-python-0.4.3/debian/changelog nautilus-python-0.4.3/debian/changelog
--- nautilus-python-0.4.3/debian/changelog
+++ nautilus-python-0.4.3/debian/changelog
@@ -1,3 +1,13 @@
+nautilus-python (0.4.3-3.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2009-0317: untrusted search path vulnerability.
+ + Added patch: 50_CVE-2009-0317.patch
+ + Closes: #513419
+ * Urgency high for fixing a security RC bug.
+
+ -- Evgeni Golov <sarge...@die-welt.net> Sun, 01 Feb 2009 23:34:17 +0100
+
nautilus-python (0.4.3-3.1) unstable; urgency=low
* Non-maintainer upload, ACKed by maintainer.
only in patch2:
unchanged:
--- nautilus-python-0.4.3.orig/debian/patches/50_CVE-2009-0317.patch
+++ nautilus-python-0.4.3/debian/patches/50_CVE-2009-0317.patch
@@ -0,0 +1,10 @@
+--- a/src/nautilus-python.c 2006-02-15 22:25:20.000000000 +0100
++++ b/src/nautilus-python.c 2009-01-29 09:46:13.000000000 +0100
+@@ -134,6 +134,7 @@
+
+ Py_Initialize();
+ PySys_SetArgv(1, argv);
++ PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
+
+ /* pygtk.require("2.0") */
+ pygtk = PyImport_ImportModule("pygtk");
signature.asc
Description: Digital signature
