Hi, For my sins I'm the maintainer of the Debian package of Sage. I'm looking at fixing the security bug that was recently reported [1]. Both of your names were mentioned in [2] as reporting the bug.
I'm looking to either prepare my own patch, in which a test case and some advice would be extremely helpful, or ideally verify and apply an existing patch. I've read through the two sets of slides at [3], but there doesn't seem to be much detail on the actual exploit or a test case. There are some references online to 'the author [of sage] being made aware of patches', but nothing public that I can find. Q: Is this a regression of the 2006 vulnerability [4]? Are there more problems I should be aware of besides that? Q: How would you suggest dealing with this? Thanks, Alan P.S. If you want to discuss this privately I can send/receive PGP encrypted mails to my @debian.org address using the key in the Debian keyring. [1] http://bugs.debian.org/559267 [2] http://www.securityfocus.com/bid/37120\ [3] http://malerisch.net/docs/security_docs.html [4] http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
