Bug#513418: marked as done (gnumeric: CVE-2009-0318 untrusted search path vulnerability in GObject wrapper)

[Debian Bug Tracking System]

Your message dated Sat, 07 Feb 2009 11:47:08 +0000
with message-id <e1lvleo-00054u...@ries.debian.org>
and subject line Bug#513418: fixed in gnumeric 1.8.3-5+lenny1
has caused the Debian Bug report #513418,
regarding gnumeric: CVE-2009-0318 untrusted search path vulnerability in 
GObject wrapper
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
513418: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513418
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: gnumeric
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gnumeric.

CVE-2009-0318[0]:
| Untrusted search path vulnerability in the GObject Python interpreter
| wrapper in Gnumeric allows local users to execute arbitrary code via a
| Trojan horse Python file in the current working directory, related to
| a vulnerability in the PySys_SetArgv function (CVE-2008-5983).

The attached patch should fix this problem (but I haven't 
tested it).

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0318
    http://security-tracker.debian.net/tracker/CVE-2009-0318

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

--- gnm-py-interpreter.c	2008-01-18 21:28:20.000000000 +0100
+++ gnm-py-interpreter.c.new	2009-01-28 22:58:40.000000000 +0100
@@ -101,6 +101,7 @@
 	interpreter->plugin = plugin;
 
 	PySys_SetArgv (G_N_ELEMENTS (plugin_argv) - 1, plugin_argv);
+	PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
 	py_initgnumeric (interpreter);
 
 	return interpreter;

pgpbccCNWJQAE.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: gnumeric
Source-Version: 1.8.3-5+lenny1

We believe that the bug you reported is fixed in the latest version of
gnumeric, which is due to be installed in the Debian FTP archive:

gnumeric-common_1.8.3-5+lenny1_all.deb
  to pool/main/g/gnumeric/gnumeric-common_1.8.3-5+lenny1_all.deb
gnumeric-doc_1.8.3-5+lenny1_all.deb
  to pool/main/g/gnumeric/gnumeric-doc_1.8.3-5+lenny1_all.deb
gnumeric-plugins-extra_1.8.3-5+lenny1_amd64.deb
  to pool/main/g/gnumeric/gnumeric-plugins-extra_1.8.3-5+lenny1_amd64.deb
gnumeric_1.8.3-5+lenny1.diff.gz
  to pool/main/g/gnumeric/gnumeric_1.8.3-5+lenny1.diff.gz
gnumeric_1.8.3-5+lenny1.dsc
  to pool/main/g/gnumeric/gnumeric_1.8.3-5+lenny1.dsc
gnumeric_1.8.3-5+lenny1_amd64.deb
  to pool/main/g/gnumeric/gnumeric_1.8.3-5+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 513...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated gnumeric package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 06 Feb 2009 19:24:06 +0100
Source: gnumeric
Binary: gnumeric gnumeric-common gnumeric-doc gnumeric-plugins-extra
Architecture: source all amd64
Version: 1.8.3-5+lenny1
Distribution: testing-security
Urgency: high
Maintainer: J.H.M. Dassen (Ray) <jdas...@debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description: 
 gnumeric   - spreadsheet application for GNOME - main program
 gnumeric-common - spreadsheet application for GNOME - common files
 gnumeric-doc - spreadsheet application for GNOME - documentation
 gnumeric-plugins-extra - spreadsheet application for GNOME - additional plugins
Closes: 513418
Changes: 
 gnumeric (1.8.3-5+lenny1) testing-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix insecure search path vulnerability due to how python handles sys.path
     by sanitizing sys.path after calling PySys_SetArgv
     (CVE-2009-0318; Closes: #513418).
Checksums-Sha1: 
 da78885acfc2254c27703874602af81c808d2452 1846 gnumeric_1.8.3-5+lenny1.dsc
 5084285100a675ec05778b3dff21c2921d23ba0a 18444243 gnumeric_1.8.3.orig.tar.gz
 c289430f9fe3f527270d34e70287ba610a7e4d0a 133428 gnumeric_1.8.3-5+lenny1.diff.gz
 4917d729fa1730da8d61e0863693b89114f08cf6 5266518 
gnumeric-common_1.8.3-5+lenny1_all.deb
 9204a23e36ac52920255b946ef750777d941a79b 4092756 
gnumeric-doc_1.8.3-5+lenny1_all.deb
 ea1393452745b8b6f3c545e99274e309aae5a727 2438276 
gnumeric_1.8.3-5+lenny1_amd64.deb
 1859dfc8f9a2f19b31e98048cfc8e25052391944 160012 
gnumeric-plugins-extra_1.8.3-5+lenny1_amd64.deb
Checksums-Sha256: 
 661c7520903d959e6fec9b34390f870ebf6c2ec7176c6eb9d51058cbc9e9788d 1846 
gnumeric_1.8.3-5+lenny1.dsc
 6cfda7ec35db90172f5b5770cc4cd58fd18f5b21021f5149a61b333c05606b8c 18444243 
gnumeric_1.8.3.orig.tar.gz
 ef61a71eec2bb55e5b50f75cf248ef422774b1c8bdbb50001dff4041af7ea2fa 133428 
gnumeric_1.8.3-5+lenny1.diff.gz
 210ba2a879cf1542db603fdc3f42536a770f630378c14f11ec6d72525ced3f28 5266518 
gnumeric-common_1.8.3-5+lenny1_all.deb
 cd77628cf3b65fc480db00b968a8c79ca45f2a250ebec61151de87fd0f2412e6 4092756 
gnumeric-doc_1.8.3-5+lenny1_all.deb
 0cfa78c75add89e650630785ed09e72fca7387c2f209e8d9ec2260e19f68da06 2438276 
gnumeric_1.8.3-5+lenny1_amd64.deb
 9f2ff299a4f5c38e5d552c6768f7f716da18847e43a5452ddc4f1b4eb992c835 160012 
gnumeric-plugins-extra_1.8.3-5+lenny1_amd64.deb
Files: 
 377cf6b431c0004d8ef4f4cc4fbec364 1846 math optional gnumeric_1.8.3-5+lenny1.dsc
 64721d3c0d48ffeb5bf721315682cdcd 18444243 math optional 
gnumeric_1.8.3.orig.tar.gz
 f19ea8628fa54879b6217ccf081ac73e 133428 math optional 
gnumeric_1.8.3-5+lenny1.diff.gz
 70efdf09d1b3887cdbb1a140902dcacc 5266518 math optional 
gnumeric-common_1.8.3-5+lenny1_all.deb
 415e25e05c0a74ce65a506bcfa7ebaf0 4092756 doc optional 
gnumeric-doc_1.8.3-5+lenny1_all.deb
 016a07bcad84334cc9bf6ff898b81173 2438276 math optional 
gnumeric_1.8.3-5+lenny1_amd64.deb
 1c6def4edbac607542173b272d3aeae4 160012 math optional 
gnumeric-plugins-extra_1.8.3-5+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmMlRsACgkQHYflSXNkfP9QiACbBsnd5im03RdikIHD9RomrDzW
+44AoKMqlAbRvkeR53ub4yLuYRWVBtM8
=st77
-----END PGP SIGNATURE-----

--- End Message ---