Your message dated Wed, 25 Apr 2012 21:02:50 +0000 with message-id <e1sn9mq-0003te...@franck.debian.org> and subject line Bug#663217: fixed in nmap 5.51.6-0.1 has caused the Debian Bug report #663217, regarding zenmap's sys.path includes /tmp locations to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 663217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663217 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: zenmap Version: 5.21-1.1 Severity: grave Tags: security the zenmap script modifies its sys.path to include '/tmp/nmap-5.21/debian/tmp/usr/lib/python2.6/site-packages/', which is inserted at build time from setyp.py. as /tmp/nmap-5.21 is not present and therefore not protected on systems where zenmap is deployed, any user can create python scripts there. when another more privileged user (eg root, which zenmap recommends) runs zenmap, it runs import statements not guaranteed to be present in earlier places in the python path (eg hildon in zenmapCore/UmitConf.py), thus executing foreign code. example: $ mkdir -p /tmp/nmap-5.21/debian/tmp/usr/lib/python2.6/site-packages/ $ echo "open('/usr/fnord', 'w'); raise ImportError" > /tmp/nmap-5.21/debian/tmp/usr/lib/python2.6/site-packages/hildon.py $ sudo zenmap (just exit again) $ ls /usr/fnord /usr/fnord remedy: remove the set_modules_path invocation from setup.py (zenmap built and worked without that call on my machine). the issue should be forwarded to upstream too, because while it will not be critical with typical installations (which are built without the destdir/installdir discrepancy present in debian), other distributions might face similar problems, and the whole sys.path hackery is bad practice anyway imho. creating a bug in the bts (as opposed to reporting only to the security team) as suggested in the reply i received to my original message to them. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages zenmap depends on: ii nmap 5.21-1.1 ii python 2.7.2-10 ii python-central 0.6.17 ii python-gobject 3.1.0-2 ii python-gtk2 2.24.0-3 ii python-pysqlite2 2.6.3-2 Versions of packages zenmap recommends: ii gksu 2.0.2-6 zenmap suggests no packages. -- no debconf information
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: nmap Source-Version: 5.51.6-0.1 We believe that the bug you reported is fixed in the latest version of nmap, which is due to be installed in the Debian FTP archive: nmap_5.51.6-0.1.diff.gz to main/n/nmap/nmap_5.51.6-0.1.diff.gz nmap_5.51.6-0.1.dsc to main/n/nmap/nmap_5.51.6-0.1.dsc nmap_5.51.6-0.1_amd64.deb to main/n/nmap/nmap_5.51.6-0.1_amd64.deb nmap_5.51.6.orig.tar.gz to main/n/nmap/nmap_5.51.6.orig.tar.gz zenmap_5.51.6-0.1_amd64.deb to main/n/nmap/zenmap_5.51.6-0.1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 663...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Hilko Bengen <ben...@debian.org> (supplier of updated nmap package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 18 Apr 2012 21:54:53 +0200 Source: nmap Binary: nmap zenmap Architecture: source amd64 Version: 5.51.6-0.1 Distribution: sid Urgency: low Maintainer: Hilko Bengen <ben...@debian.org> Changed-By: Hilko Bengen <ben...@debian.org> Description: nmap - The Network Mapper zenmap - The Network Mapper Front End Closes: 358336 616917 630144 663217 Changes: nmap (5.51.6-0.1) unstable; urgency=low . * Non-maintainer upload * New upstream version (Closes: #630144) * Added watch file * Simplified debian/*.files, added translated manpages (Closes: #358336) * Added Python dependency for ndiff to nmap package * Removed empty postinst, prerm scripts * No longer append the build directory to zenmap's sys.path (Closes: #663217) * Use dh_python2 instead of dh_pycentral. Thanks to Arthur de Jong for the patch. Closes: #616917 Checksums-Sha1: df9aba2165fc7c744a6bdfc585cbeee503eddf4f 1281 nmap_5.51.6-0.1.dsc af8391b8712f2a540092e353d4a7f2aa058ced86 18674492 nmap_5.51.6.orig.tar.gz 00f9dddc6f52d4bdb0c49c08a7515e613d7c6d5f 15394 nmap_5.51.6-0.1.diff.gz 593cd4b814a974a356c8be77873bfbc341903dff 3377766 nmap_5.51.6-0.1_amd64.deb 11cdc243596c554741a5df979447ba0ccf1dc239 610480 zenmap_5.51.6-0.1_amd64.deb Checksums-Sha256: 76ddc3870616d94e0adfaed554e7e8b70a24e4ad8420356c146f3e92dd11b4e1 1281 nmap_5.51.6-0.1.dsc 896c5c2bf2abd85ec4a0bcc019ed909b44a33582c1cc53343ca38f8c8ac94070 18674492 nmap_5.51.6.orig.tar.gz ec899671b0f1bd3ba89328e1082577dd1e18ffb8736bddb1e6f855e18eb648ed 15394 nmap_5.51.6-0.1.diff.gz 61d030e65b83163367acbc7afe5b512c685776a9b2684b925241c31639e53d76 3377766 nmap_5.51.6-0.1_amd64.deb 35c9274959ca813100868d8ae3d8719b4c8b356d397327023ac3fb6db3b36fd0 610480 zenmap_5.51.6-0.1_amd64.deb Files: 655f6333ecb5fb44711b65b61be17c20 1281 net extra nmap_5.51.6-0.1.dsc 75492e55330bded27f6132f052adae7e 18674492 net extra nmap_5.51.6.orig.tar.gz c66cdb31bf8c5358ca74731bcd7a187d 15394 net extra nmap_5.51.6-0.1.diff.gz 4dd808470b3735dab928c7bdb5140d20 3377766 net extra nmap_5.51.6-0.1_amd64.deb 89bfc5619ca3cd232d1fce614f372ee0 610480 net extra zenmap_5.51.6-0.1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAk+PIZ4ACgkQUCgnLz/SlGi8NgCfelGTnt0OXl7srd/jekrkeJMe TIYAnRB3xcl0Cnjo39yLPwG0U1MURRFS =gjOZ -----END PGP SIGNATURE-----
--- End Message ---
