Your message dated Sat, 29 Nov 2014 15:22:39 +0000
with message-id <[email protected]>
and subject line Bug#770692: fixed in pyopencl 2014.1-3
has caused the Debian Bug report #770692,
regarding python-pyopencl: Insecure temporary file creation for kernel cache
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
770692: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770692
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-pyopencl
Severity: grave
Tags: upstream security
Justification: user security hole
Dear Maintainer,
PyOpenCL creates a cache of compiled kernels in a predictable location in the
temporary directory. Assuming a system-wide /tmp, an attacker can exploit this.
This allows for arbitrary code execution on OpenCL devices (which could be a
CPU); the cache also contains a Python pickle file, which may allow another
route to arbitrary code execution.
https://github.com/pyopencl/pyopencl/pull/68 contains an upstream patch to fix
the issue by storing the cache in the XDG per-user cache directory instead of
the temporary temporary.
I happen to be running Ubuntu Trusty on the machine where I first discovered
this, but it presumably affects any UNIX system with a shared system temporary
directory.
-- System Information:
Debian Release: jessie/sid
APT prefers trusty-updates
APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500,
'trusty'), (100, 'trusty-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.13.0-39-generic (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: pyopencl
Source-Version: 2014.1-3
We believe that the bug you reported is fixed in the latest version of
pyopencl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tomasz Rybak <[email protected]> (supplier of updated pyopencl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 29 Nov 2014 11:43:47 +0100
Source: pyopencl
Binary: python-pyopencl python-pyopencl-dbg python3-pyopencl
python3-pyopencl-dbg python-pyopencl-doc
Architecture: source amd64 all
Version: 2014.1-3
Distribution: unstable
Urgency: medium
Maintainer: Tomasz Rybak <[email protected]>
Changed-By: Tomasz Rybak <[email protected]>
Description:
python-pyopencl - Python module to access OpenCL parallel computation API
python-pyopencl-dbg - Python module to access OpenCL API (debug extensions)
python-pyopencl-doc - module to access OpenCL parallel computation API
(documentation)
python3-pyopencl - Python 3 module to access OpenCL parallel computation API
python3-pyopencl-dbg - Python 3 module to access OpenCL API (debug extensions)
Closes: 770692
Changes:
pyopencl (2014.1-3) unstable; urgency=medium
.
* Add dependency to appdirs and use it to create cache directories
(Closes: #770692).
* Update Standards-Version to 3.9.6; no changes necessary.
Checksums-Sha1:
95c9e090b278c974caa4cfcaeb1ac78c48158b92 2530 pyopencl_2014.1-3.dsc
bab08938600546cf800fd3a7e7f34b626207f74d 11360 pyopencl_2014.1-3.debian.tar.xz
aa5265d39e371911fccc63e965b2c339bf3ce0f9 355648
python-pyopencl_2014.1-3_amd64.deb
b586b016c2dc25e6a61e5739d7011228bb17883c 6260732
python-pyopencl-dbg_2014.1-3_amd64.deb
f2c05dc3d26c910b4fc2d0b5ff1b11e6ee4f0da2 355028
python3-pyopencl_2014.1-3_amd64.deb
f0f004712d3a7b995928986ac08a59dd6aff4375 4872768
python3-pyopencl-dbg_2014.1-3_amd64.deb
7386a0d5612f89aa3404e55a2ea6375b8a03e742 118992
python-pyopencl-doc_2014.1-3_all.deb
Checksums-Sha256:
e023d7334f367c06b8c75bc0d31759baa605caa5bf9b40407aab20d5c6427736 2530
pyopencl_2014.1-3.dsc
21548d78f880bdcd0273fdfecb29bf75690beb649c118635213495e0af9a46cb 11360
pyopencl_2014.1-3.debian.tar.xz
e208bfe9af25e90f69fd4c0d01536d6f08111ce37e69219f7bf4c271a9f64dc2 355648
python-pyopencl_2014.1-3_amd64.deb
95ece5e0d39fd4878e9791d4e39ccc3ddfd5819487c5bfdc6bc19229840c29ef 6260732
python-pyopencl-dbg_2014.1-3_amd64.deb
6e5df66555a0ceed3e7e2a469c65bf97b5fe5f5e21b43986fb367998ff0a390b 355028
python3-pyopencl_2014.1-3_amd64.deb
e4a567c32544ce1ed370ccd2fd95c7ee8a626b30bc82cc65ceeb26ef5a8e23b1 4872768
python3-pyopencl-dbg_2014.1-3_amd64.deb
3db91849a5a293445a32bb7a88695a5fb5c8a07711153086218fe76a18a6f643 118992
python-pyopencl-doc_2014.1-3_all.deb
Files:
bfe824e4f7641ac43e0086bbbf82a3a2 2530 python optional pyopencl_2014.1-3.dsc
d2ed63f387517c3163768ff8ea55cd41 11360 python optional
pyopencl_2014.1-3.debian.tar.xz
b057b3961b4f85fa32cb35504d31b302 355648 python optional
python-pyopencl_2014.1-3_amd64.deb
a96ce75b5b26872a1460a59559354349 6260732 debug extra
python-pyopencl-dbg_2014.1-3_amd64.deb
a59449fb38e2d3bb9bffe8855c8488d6 355028 python optional
python3-pyopencl_2014.1-3_amd64.deb
93c56392b3bf37e918d665f0ea7c592e 4872768 debug extra
python3-pyopencl-dbg_2014.1-3_amd64.deb
0413709e43bb77e1f3eb6c048eece9f3 118992 doc optional
python-pyopencl-doc_2014.1-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUedIcAAoJEMZU+zMq1ZhgkawP/2QS26D6zGBSGKgix8ty9CcS
v9IafuS+PDbw9BMbDbNaEb+4Af4lwZIXGIVugiIldIyNH4EdkDhIBuMoS6Ri8236
w3GY68ioLNdZ2utx7fRQxIeaYBLRTh5KpD6FL3Mw/cZIf4JBsIbLy7epLAwj510I
DtbB45jZIRdZxeA1d0roKDWWX8au7h5H3ZEvpBZP6gxhm4wupE9Ss8IqRxCfMimJ
WlvMycAQp12yUSTRY4QvGI/G3x+hII0GzrUDTAqx6jWGQgx9ZE80gxwaJJzgvZI9
kxCkb3MCE/siVLyKt8L8nfcLKTaMGEMNwE7YO8DvJJETtpVfTFJDBeIgrJpGyZ9G
qMoZUpcoR+EqOoTmIYGdf4OqBAkOjkk1xRLedzBWkhECeUvL+dR7uas1hfWTyuS4
/hxrSxu789YMvKxWuPjNCqVm87U96xGUla0qVf79Ew1zcqo4eunKdGobcgW589dJ
UwNEiTu4zLs0J+oGgX2mOWXxpVm0APBxqvctvyCtcqv9vTWVI370YdXpyOZ/Br+L
3DZd8FRHrty/6YbVkWff9KvMj7uh7zZaH3fZq0da2DWz4YVmv1blZvdVVrveha6O
7aDJWj5UwrBC3/Koh9O7mII5TTrExMpfRVNCjFIISdJTHBPIaH8WXKIvHRnHfcHW
tdIlVOqrfyWNUsi4mPX7
=h+5X
-----END PGP SIGNATURE-----
--- End Message ---