Your message dated Thu, 05 Feb 2009 13:52:23 +0000
with message-id <e1lv4ev-000318...@ries.debian.org>
and subject line Bug#513418: fixed in gnumeric 1.6.3-5.1+etch2
has caused the Debian Bug report #513418,
regarding gnumeric: CVE-2009-0318 untrusted search path vulnerability in
GObject wrapper
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
513418: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513418
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gnumeric
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gnumeric.
CVE-2009-0318[0]:
| Untrusted search path vulnerability in the GObject Python interpreter
| wrapper in Gnumeric allows local users to execute arbitrary code via a
| Trojan horse Python file in the current working directory, related to
| a vulnerability in the PySys_SetArgv function (CVE-2008-5983).
The attached patch should fix this problem (but I haven't
tested it).
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0318
http://security-tracker.debian.net/tracker/CVE-2009-0318
--
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
--- gnm-py-interpreter.c 2008-01-18 21:28:20.000000000 +0100
+++ gnm-py-interpreter.c.new 2009-01-28 22:58:40.000000000 +0100
@@ -101,6 +101,7 @@
interpreter->plugin = plugin;
PySys_SetArgv (G_N_ELEMENTS (plugin_argv) - 1, plugin_argv);
+ PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
py_initgnumeric (interpreter);
return interpreter;
pgp1Gfowp6YfO.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: gnumeric
Source-Version: 1.6.3-5.1+etch2
We believe that the bug you reported is fixed in the latest version of
gnumeric, which is due to be installed in the Debian FTP archive:
gnumeric-common_1.6.3-5.1+etch2_all.deb
to pool/main/g/gnumeric/gnumeric-common_1.6.3-5.1+etch2_all.deb
gnumeric-doc_1.6.3-5.1+etch2_all.deb
to pool/main/g/gnumeric/gnumeric-doc_1.6.3-5.1+etch2_all.deb
gnumeric-plugins-extra_1.6.3-5.1+etch2_amd64.deb
to pool/main/g/gnumeric/gnumeric-plugins-extra_1.6.3-5.1+etch2_amd64.deb
gnumeric_1.6.3-5.1+etch2.diff.gz
to pool/main/g/gnumeric/gnumeric_1.6.3-5.1+etch2.diff.gz
gnumeric_1.6.3-5.1+etch2.dsc
to pool/main/g/gnumeric/gnumeric_1.6.3-5.1+etch2.dsc
gnumeric_1.6.3-5.1+etch2_amd64.deb
to pool/main/g/gnumeric/gnumeric_1.6.3-5.1+etch2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 513...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
J.H.M. Dassen (Ray) <jdas...@debian.org> (supplier of updated gnumeric package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 29 Jan 2009 21:20:17 +0100
Source: gnumeric
Binary: gnumeric-doc gnumeric-common gnumeric gnumeric-plugins-extra
Architecture: source amd64 all
Version: 1.6.3-5.1+etch2
Distribution: stable-proposed-updates
Urgency: medium
Maintainer: J.H.M. Dassen (Ray) <jdas...@debian.org>
Changed-By: J.H.M. Dassen (Ray) <jdas...@debian.org>
Description:
gnumeric - GNOME spreadsheet application
gnumeric-common - common files for Gnumeric, the GNOME spreadsheet application
gnumeric-doc - documentation for Gnumeric, the GNOME spreadsheet application
gnumeric-plugins-extra - additional plugins for the GNOME spreadsheet
Closes: 513418
Changes:
gnumeric (1.6.3-5.1+etch2) stable-proposed-updates; urgency=medium
.
* [plugins/python-loader/gnm-py-interpreter.c,
plugins/python-loader/ChangeLog] Pull in fix from SVN gnumeric-1-6
branch to deal with CVE-2009-0318, an untrusted search path vulnerability
which affected the python-loader plugin which is part of the
gnumeric-plugins-extra package. (Closes: #513418)
Files:
d9c771bc4a7921687c843a840e6810c4 1340 math optional
gnumeric_1.6.3-5.1+etch2.dsc
bafb221851a9498560b4bb68683ae389 358722 math optional
gnumeric_1.6.3-5.1+etch2.diff.gz
35b5ebfafeee4062ad306e1d69edbaee 5269068 math optional
gnumeric-common_1.6.3-5.1+etch2_all.deb
1c296f2084db6052f0dc22016ee57a04 4190876 doc optional
gnumeric-doc_1.6.3-5.1+etch2_all.deb
f86baf7ffef80b0fe48dce38d67ce42e 2201068 math optional
gnumeric_1.6.3-5.1+etch2_amd64.deb
1f637a27ea1ee3b796399065969ce0d2 158818 math optional
gnumeric-plugins-extra_1.6.3-5.1+etch2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmCE0wACgkQmGjI2TeZ54eykQCfcQYqJEBo6wcD5oYcNlOFw0VL
eHoAn145Cgela1+0gvsez4hbQoKMARXR
=HSRe
-----END PGP SIGNATURE-----
--- End Message ---
