[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#786860: marked as done (jessie-pu: package python-dbusmock/0.11.4-1+deb8u1)

Your message dated Sat, 06 Jun 2015 13:11:11 +0100
with message-id <1433592671.2987.12.camel@adam-barratt.org.uk>
and subject line Fix released with 8.1 point release
has caused the Debian Bug report #786860,
regarding jessie-pu: package python-dbusmock/0.11.4-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
786860: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786860
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

there is a low-impact security issue in python-dbusmock, which is
described in detail on https://launchpad.net/bugs/1453815. I
originally prepared a stable-security upload, but the security team
(CC'ed Salvatore) asked this to be handled as a normal stable update
instead.

So I filed https://bugs.debian.org/786858 with a summary and proper
version tracking, and uploaded python-dbusmock 0.11.4-1+deb8u1 to
stable with the backported fix. This is fixed in 0.15.1-1 in
testing/unstable, oldstable does not have python-dbusmock.

Thanks,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

diff -Nru python-dbusmock-0.11.4/debian/changelog python-dbusmock-0.11.4/debian/changelog
--- python-dbusmock-0.11.4/debian/changelog	2014-09-22 10:26:41.000000000 +0200
+++ python-dbusmock-0.11.4/debian/changelog	2015-05-26 09:26:24.000000000 +0200
@@ -1,3 +1,20 @@
+python-dbusmock (0.11.4-1+deb8u1) stable; urgency=medium
+
+  * SECURITY FIX: When loading a template from an arbitrary file through the
+    AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template()
+    Python method, don't create or use Python's *.pyc cached files. By
+    tricking a user into loading a template from a world-writable directory
+    like /tmp, an attacker could run arbitrary code with the user's
+    privileges by putting a crafted .pyc file into that directory.
+
+    Note that this is highly unlikely to actually appear in practice as custom
+    dbusmock templates are usually shipped in project directories, not
+    directly in world-writable directories.
+    (Closes: #786858, LP: #1453815, CVE-2015-1326)
+  * Add debian/gbp.conf for "jessie" packaging branch.
+
+ -- Martin Pitt <mpitt@debian.org>  Tue, 26 May 2015 09:26:11 +0200
+
 python-dbusmock (0.11.4-1) unstable; urgency=medium
 
   * New upstream bug fix release.
diff -Nru python-dbusmock-0.11.4/debian/gbp.conf python-dbusmock-0.11.4/debian/gbp.conf
--- python-dbusmock-0.11.4/debian/gbp.conf	1970-01-01 01:00:00.000000000 +0100
+++ python-dbusmock-0.11.4/debian/gbp.conf	2015-05-26 09:26:24.000000000 +0200
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff -Nru python-dbusmock-0.11.4/debian/patches/0001-SECURITY-FIX-Prevent-code-execution-through-crafted-.patch python-dbusmock-0.11.4/debian/patches/0001-SECURITY-FIX-Prevent-code-execution-through-crafted-.patch
--- python-dbusmock-0.11.4/debian/patches/0001-SECURITY-FIX-Prevent-code-execution-through-crafted-.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-dbusmock-0.11.4/debian/patches/0001-SECURITY-FIX-Prevent-code-execution-through-crafted-.patch	2015-05-26 09:26:24.000000000 +0200
@@ -0,0 +1,75 @@
+From: Martin Pitt <martin.pitt@ubuntu.com>
+Date: Mon, 11 May 2015 16:00:10 +0200
+Subject: SECURITY FIX: Prevent code execution through crafted pyc files
+
+When loading a template from an arbitrary file through the AddTemplate() D-Bus
+method call or DBusTestCase.spawn_server_template() Python method, don't create
+or use Python's *.pyc cached files.By tricking a user into loading a template
+from a world-writable directory like /tmp, an attacker could run arbitrary code
+with the user's privileges by putting a crafted .pyc file into that directory.
+
+Note that this is highly unlikely to actually appear in practice as custom
+dbusmock templates are usually shipped in project directories, not directly in
+world-writable directories.
+
+Thanks to Simon McVittie for discovering this!
+
+LP: #1453815
+CVE-2015-1326
+---
+ dbusmock/mockobject.py | 13 +++++--------
+ tests/test_api.py      | 10 ++++++++++
+ 2 files changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/dbusmock/mockobject.py b/dbusmock/mockobject.py
+index 0228070..6d35608 100644
+--- a/dbusmock/mockobject.py
++++ b/dbusmock/mockobject.py
+@@ -17,6 +17,7 @@ import time
+ import sys
+ import types
+ import importlib
++import imp
+ from xml.etree import ElementTree
+ 
+ # we do not use this ourselves, but mock methods often want to use this
+@@ -40,14 +41,10 @@ if sys.version_info[0] >= 3:
+ 
+ def load_module(name):
+     if os.path.exists(name) and os.path.splitext(name)[1] == '.py':
+-        sys.path.insert(0, os.path.dirname(os.path.abspath(name)))
+-        try:
+-            m = os.path.splitext(os.path.basename(name))[0]
+-            module = importlib.import_module(m)
+-        finally:
+-            sys.path.pop(0)
+-
+-        return module
++        mod = imp.new_module(os.path.splitext(os.path.basename(name))[0])
++        with open(name) as f:
++            exec(f.read(), mod.__dict__, mod.__dict__)
++        return mod
+ 
+     return importlib.import_module('dbusmock.templates.' + name)
+ 
+diff --git a/tests/test_api.py b/tests/test_api.py
+index 57f0a62..7b8c126 100644
+--- a/tests/test_api.py
++++ b/tests/test_api.py
+@@ -582,6 +582,16 @@ def load(mock, parameters):
+             self.addCleanup(p_mock.terminate)
+             self.addCleanup(p_mock.stdout.close)
+ 
++            # ensure that we don't use/write any .pyc files, they are dangerous
++            # in a world-writable directory like /tmp
++            self.assertFalse(os.path.exists(my_template.name + 'c'))
++            try:
++                from importlib.util import cache_from_source
++                self.assertFalse(os.path.exists(cache_from_source(my_template.name)))
++            except ImportError:
++                # python < 3.4
++                pass
++
+         self.assertEqual(dbus_ultimate.Answer(), 42)
+ 
+         # should appear in introspection
diff -Nru python-dbusmock-0.11.4/debian/patches/series python-dbusmock-0.11.4/debian/patches/series
--- python-dbusmock-0.11.4/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ python-dbusmock-0.11.4/debian/patches/series	2015-05-26 09:26:24.000000000 +0200
@@ -0,0 +1 @@
+0001-SECURITY-FIX-Prevent-code-execution-through-crafted-.patch

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Version: 8.1

Hi,

The fix discussed in this bug was released to stable as part of the 8.1
point release earlier today.

Regards,

Adam

--- End Message ---
Reply to: