Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hello, there is a low-impact security issue in python-dbusmock, which is described in detail on https://launchpad.net/bugs/1453815. I originally prepared a stable-security upload, but the security team (CC'ed Salvatore) asked this to be handled as a normal stable update instead. So I filed https://bugs.debian.org/786858 with a summary and proper version tracking, and uploaded python-dbusmock 0.11.4-1+deb8u1 to stable with the backported fix. This is fixed in 0.15.1-1 in testing/unstable, oldstable does not have python-dbusmock. Thanks, Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
diff -Nru python-dbusmock-0.11.4/debian/changelog python-dbusmock-0.11.4/debian/changelog --- python-dbusmock-0.11.4/debian/changelog 2014-09-22 10:26:41.000000000 +0200 +++ python-dbusmock-0.11.4/debian/changelog 2015-05-26 09:26:24.000000000 +0200 @@ -1,3 +1,20 @@ +python-dbusmock (0.11.4-1+deb8u1) stable; urgency=medium + + * SECURITY FIX: When loading a template from an arbitrary file through the + AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() + Python method, don't create or use Python's *.pyc cached files. By + tricking a user into loading a template from a world-writable directory + like /tmp, an attacker could run arbitrary code with the user's + privileges by putting a crafted .pyc file into that directory. + + Note that this is highly unlikely to actually appear in practice as custom + dbusmock templates are usually shipped in project directories, not + directly in world-writable directories. + (Closes: #786858, LP: #1453815, CVE-2015-1326) + * Add debian/gbp.conf for "jessie" packaging branch. + + -- Martin Pitt <mpitt@debian.org> Tue, 26 May 2015 09:26:11 +0200 + python-dbusmock (0.11.4-1) unstable; urgency=medium * New upstream bug fix release. diff -Nru python-dbusmock-0.11.4/debian/gbp.conf python-dbusmock-0.11.4/debian/gbp.conf --- python-dbusmock-0.11.4/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 +++ python-dbusmock-0.11.4/debian/gbp.conf 2015-05-26 09:26:24.000000000 +0200 @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = jessie diff -Nru python-dbusmock-0.11.4/debian/patches/0001-SECURITY-FIX-Prevent-code-execution-through-crafted-.patch python-dbusmock-0.11.4/debian/patches/0001-SECURITY-FIX-Prevent-code-execution-through-crafted-.patch --- python-dbusmock-0.11.4/debian/patches/0001-SECURITY-FIX-Prevent-code-execution-through-crafted-.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-dbusmock-0.11.4/debian/patches/0001-SECURITY-FIX-Prevent-code-execution-through-crafted-.patch 2015-05-26 09:26:24.000000000 +0200 @@ -0,0 +1,75 @@ +From: Martin Pitt <martin.pitt@ubuntu.com> +Date: Mon, 11 May 2015 16:00:10 +0200 +Subject: SECURITY FIX: Prevent code execution through crafted pyc files + +When loading a template from an arbitrary file through the AddTemplate() D-Bus +method call or DBusTestCase.spawn_server_template() Python method, don't create +or use Python's *.pyc cached files.By tricking a user into loading a template +from a world-writable directory like /tmp, an attacker could run arbitrary code +with the user's privileges by putting a crafted .pyc file into that directory. + +Note that this is highly unlikely to actually appear in practice as custom +dbusmock templates are usually shipped in project directories, not directly in +world-writable directories. + +Thanks to Simon McVittie for discovering this! + +LP: #1453815 +CVE-2015-1326 +--- + dbusmock/mockobject.py | 13 +++++-------- + tests/test_api.py | 10 ++++++++++ + 2 files changed, 15 insertions(+), 8 deletions(-) + +diff --git a/dbusmock/mockobject.py b/dbusmock/mockobject.py +index 0228070..6d35608 100644 +--- a/dbusmock/mockobject.py ++++ b/dbusmock/mockobject.py +@@ -17,6 +17,7 @@ import time + import sys + import types + import importlib ++import imp + from xml.etree import ElementTree + + # we do not use this ourselves, but mock methods often want to use this +@@ -40,14 +41,10 @@ if sys.version_info[0] >= 3: + + def load_module(name): + if os.path.exists(name) and os.path.splitext(name)[1] == '.py': +- sys.path.insert(0, os.path.dirname(os.path.abspath(name))) +- try: +- m = os.path.splitext(os.path.basename(name))[0] +- module = importlib.import_module(m) +- finally: +- sys.path.pop(0) +- +- return module ++ mod = imp.new_module(os.path.splitext(os.path.basename(name))[0]) ++ with open(name) as f: ++ exec(f.read(), mod.__dict__, mod.__dict__) ++ return mod + + return importlib.import_module('dbusmock.templates.' + name) + +diff --git a/tests/test_api.py b/tests/test_api.py +index 57f0a62..7b8c126 100644 +--- a/tests/test_api.py ++++ b/tests/test_api.py +@@ -582,6 +582,16 @@ def load(mock, parameters): + self.addCleanup(p_mock.terminate) + self.addCleanup(p_mock.stdout.close) + ++ # ensure that we don't use/write any .pyc files, they are dangerous ++ # in a world-writable directory like /tmp ++ self.assertFalse(os.path.exists(my_template.name + 'c')) ++ try: ++ from importlib.util import cache_from_source ++ self.assertFalse(os.path.exists(cache_from_source(my_template.name))) ++ except ImportError: ++ # python < 3.4 ++ pass ++ + self.assertEqual(dbus_ultimate.Answer(), 42) + + # should appear in introspection diff -Nru python-dbusmock-0.11.4/debian/patches/series python-dbusmock-0.11.4/debian/patches/series --- python-dbusmock-0.11.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ python-dbusmock-0.11.4/debian/patches/series 2015-05-26 09:26:24.000000000 +0200 @@ -0,0 +1 @@ +0001-SECURITY-FIX-Prevent-code-execution-through-crafted-.patch
Attachment:
signature.asc
Description: Digital signature