Your message dated Sat, 07 Feb 2009 11:32:17 +0000
with message-id <e1lvlq1-0004fc...@ries.debian.org>
and subject line Bug#513513: fixed in gedit 2.22.3-1+lenny1
has caused the Debian Bug report #513513,
regarding CVE-2009-0314: Untrusted search path vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
513513: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513513
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gedit
Severity: important
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gedit.
CVE-2009-0314[0]:
| Untrusted search path vulnerability in the Python module in gedit
| allows local users to execute arbitrary code via a Trojan horse Python
| file in the current working directory, related to a vulnerability in
| the PySys_SetArgv function (CVE-2008-5983).
There are more information in the redhat bugreport[1] including a
patch[2].
For stable, this issue could be fixed via stable-proposed-updates. It
seems that the vulnerable function is gedit_python_module_init_python().
For lenny, it could be fixed via migration from unstable.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0314
http://security-tracker.debian.net/tracker/CVE-2009-0314
[1] https://bugzilla.redhat.com/show_bug.cgi?id=481556
[2] https://bugzilla.redhat.com/attachment.cgi?id=330031
--- End Message ---
--- Begin Message ---
Source: gedit
Source-Version: 2.22.3-1+lenny1
We believe that the bug you reported is fixed in the latest version of
gedit, which is due to be installed in the Debian FTP archive:
gedit-common_2.22.3-1+lenny1_all.deb
to pool/main/g/gedit/gedit-common_2.22.3-1+lenny1_all.deb
gedit-dev_2.22.3-1+lenny1_all.deb
to pool/main/g/gedit/gedit-dev_2.22.3-1+lenny1_all.deb
gedit_2.22.3-1+lenny1.diff.gz
to pool/main/g/gedit/gedit_2.22.3-1+lenny1.diff.gz
gedit_2.22.3-1+lenny1.dsc
to pool/main/g/gedit/gedit_2.22.3-1+lenny1.dsc
gedit_2.22.3-1+lenny1_amd64.deb
to pool/main/g/gedit/gedit_2.22.3-1+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 513...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated gedit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 06 Feb 2009 19:48:21 +0100
Source: gedit
Binary: gedit gedit-common gedit-dev
Architecture: source all amd64
Version: 2.22.3-1+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Debian GNOME Maintainers
<pkg-gnome-maintain...@lists.alioth.debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description:
gedit - official text editor of the GNOME desktop environment
gedit-common - official text editor of the GNOME desktop environment (support
fi
gedit-dev - official text editor of the GNOME desktop environment (developmen
Closes: 513513
Changes:
gedit (2.22.3-1+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Pass GEDIT_PLUGINDIR instead of gedit to PySys_SetArgv
to workaround an insecure search path vulnerability
(02_CVE-2009-0314.patch; Closes: #513513).
* Note that this update changes the Uploader field, this is
not related to the security fix but to the build system used
by the gedit maintainers.
Checksums-Sha1:
31f5ae99d3443c80b2b08bea39075308cc86c581 1661 gedit_2.22.3-1+lenny1.dsc
b682cd932520e8447f24d9fcf3066e4cb21b3dda 5823279 gedit_2.22.3.orig.tar.gz
d4a37d7b04641405516a8dc74c445ac47d4a0c3d 13743 gedit_2.22.3-1+lenny1.diff.gz
527ba905f9f53ae58b186e78c578c2c7604615af 4046640
gedit-common_2.22.3-1+lenny1_all.deb
0663c94efb02372df392cd50a2d62179f5daeef6 139690
gedit-dev_2.22.3-1+lenny1_all.deb
8c59303a990d3c72cdeb78158cbf488c207bac3b 843868 gedit_2.22.3-1+lenny1_amd64.deb
Checksums-Sha256:
56359d99ac1e11cbfd76705ea57de53b822ef77778aa8d3e199623eb5cb0d850 1661
gedit_2.22.3-1+lenny1.dsc
b252d6edd345c5e03830df3f3e76d85e4c52e21dff6c6bc722a1e676cbbc723b 5823279
gedit_2.22.3.orig.tar.gz
7ab6a6d117020b21185ff7127c26ea5df08d78926fa30b2906ddb59e40f79ad3 13743
gedit_2.22.3-1+lenny1.diff.gz
677cf8dbd7f7cb254e8cae762819649aa63e7b360a231611b15923edfa72384e 4046640
gedit-common_2.22.3-1+lenny1_all.deb
6ece219db2a4ae3cbc1c60d50e8a09ec2eb26f93b6f36cbd6c603d665d5eb71c 139690
gedit-dev_2.22.3-1+lenny1_all.deb
0c2960134037ae6e142d79ae7fc3ad9b39994a197d50233e008bcb9cefdeae25 843868
gedit_2.22.3-1+lenny1_amd64.deb
Files:
4a47c094b4254818cf06e93c051817ae 1661 gnome optional gedit_2.22.3-1+lenny1.dsc
f71af4c6004171add085402d34e29826 5823279 gnome optional
gedit_2.22.3.orig.tar.gz
a888ddcb0212151fc4467a398cb8ab17 13743 gnome optional
gedit_2.22.3-1+lenny1.diff.gz
978abc60bc4932ef614c1ff3a2153243 4046640 gnome optional
gedit-common_2.22.3-1+lenny1_all.deb
19f70df9b44ec5c5a267a11f9706fcca 139690 devel optional
gedit-dev_2.22.3-1+lenny1_all.deb
df53fc963dd31e581401557b5574fe6b 843868 gnome optional
gedit_2.22.3-1+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmMjoMACgkQHYflSXNkfP+uUACeKQBRBUb74/hjsGueKgGRSQQk
1LgAmwaIFuWY94k97Ho3Ek7lcDaCoRpW
=V0Uh
-----END PGP SIGNATURE-----
--- End Message ---
