Bug#798863: marked as done (CVE-2015-0853: insecure use of os.system())

Wed, 11 Nov 2015 03:46:04 -0800 

Your message dated Wed, 11 Nov 2015 11:21:01 +0000
with message-id <[email protected]>
and subject line Bug#798863: fixed in svn-workbench 1.7.0-1
has caused the Debian Bug report #798863,
regarding CVE-2015-0853: insecure use of os.system()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
798863: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798863
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: svn-workbench
Version: 1.6.8-2.1
Severity: grave
Tags: security upstream
Justification: user security hole

SYNOPSIS:
        If a user was tricked into using the "Command Shell" menu item
        while in a directory with a specially-crafted name,
        svn-workbench would execute arbitrary commands with the
        permissions of the user.

STEPS TO REPRODUCE:
     1. Add "https://github.com/lfaraone/turbulent-octo-garbanzo"; as a
        project in svn-workbench
     2. Checkout the project
     3. Navigate to "trunk/$(xeyes)"
     4. Click "Actions", then "Command Shell"

The `xeyes` program (if installed on your system) should start.

Source/wb_shell_unix_commands.py starting at line 53:
        def ShellOpen( app, project_info, filename ):
            app.log.info( T_('Open %s') % filename )
            cur_dir = os.getcwd()
            try:

        wb_platform_specific.uChdir( project_info.getWorkingDir() )
                os.system( "xdg-open '%s'" % filename )
            finally:
                wb_platform_specific.uChdir( cur_dir )

The code should instead start a subprocess in a secure way, such as
using subprocess.call().

--- End Message ---
--- Begin Message --- 
Source: svn-workbench
Source-Version: 1.7.0-1

We believe that the bug you reported is fixed in the latest version of
svn-workbench, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hideki Yamane <[email protected]> (supplier of updated svn-workbench package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 Nov 2015 20:10:08 +0900
Source: svn-workbench
Binary: svn-workbench
Architecture: source all
Version: 1.7.0-1
Distribution: unstable
Urgency: medium
Maintainer: Hideki Yamane <[email protected]>
Changed-By: Hideki Yamane <[email protected]>
Description:
 svn-workbench - Workbench for Subversion
Closes: 798863
Changes:
 svn-workbench (1.7.0-1) unstable; urgency=medium
 .
   * New upstream release
     - include fix for CVE-2015-0853: insecure use of os.system()
       (Closes: #798863)
   * debian/patches
     - drop: unnecessary force_wx2.8.patch, sicne upstream explictly choose 2.8
       and 3.0, specifying minimum version 2.8 is not enough.
     - refresh patches
   * debian/rules
     - just ignore configure
     - remove unnecessary --with python2
Checksums-Sha1:
 c7a2653ba19a26cb87bbd6c0bee8c1bccdf905f0 1892 svn-workbench_1.7.0-1.dsc
 94bf35d420ffb9d9bdfd6290b139b7151b391e89 608898 svn-workbench_1.7.0.orig.tar.gz
 d029c58b19e4b88dc19ae4e8767a5740bb4dd5d6 5980 
svn-workbench_1.7.0-1.debian.tar.xz
 a045f7644ec6534ab1a8ded552688f407d90d875 503036 svn-workbench_1.7.0-1_all.deb
Checksums-Sha256:
 151f25f1fe5e9e9b9d49859aaa62cb1d147e244616ae73848db1dab4b107c1b3 1892 
svn-workbench_1.7.0-1.dsc
 a2c7aece2b9755c9971dac9e977e72ed0a48944c7712373ee96328d2ffb0b60a 608898 
svn-workbench_1.7.0.orig.tar.gz
 bdfb5e92ff5d684ae9b18e633d39baa1aba12973d74cb28cc3b46b7c7076597d 5980 
svn-workbench_1.7.0-1.debian.tar.xz
 d3213eb97663c4aff4d5c3fcefe95eefb93d71c568f92b65f3262308d9fd0ffb 503036 
svn-workbench_1.7.0-1_all.deb
Files:
 b9bc5b28e99fdc0471ff8b0b68c1e508 1892 devel optional svn-workbench_1.7.0-1.dsc
 d7ae77673faf67757a17515af3e3faf4 608898 devel optional 
svn-workbench_1.7.0.orig.tar.gz
 f10cbca476ded324681f41ce17fcbb16 5980 devel optional 
svn-workbench_1.7.0-1.debian.tar.xz
 a18b33d3eab79725f097439868866bd4 503036 devel optional 
svn-workbench_1.7.0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWQyKFAAoJEF0yjQgqqrFAmGsQALbE+G7me6PnIACumU3X2aUr
JbvWI2a3GJcOSNRqbwn4jZ2boO4pFAM4DTIa6vpfZtV0LESXNKG5fSNhc1hMyg4j
fBWOxs187R9MA01jdqsQz9YG36/ijINq2p9GeMMQDF2XeX6ITjQGX2AXCQezQbMO
mM7BbcXg0Wa0Q6eyqxGhQrzytSwz/HrNDzcjcxKHpF6+Xm275oiP7gVzG1zApN3r
bXpm473d7rqmbPjT80+PbPRWSBNnkQIUrPW8FJu5fVHbUuMIdQ70TCkWB8is2Ial
QffQ/tv0Dbb0k7lVcdSzOIeLHVrR7zxw0Q3N7GC7V/HDt4izkdxkwipxmHZYKbNE
05Y1F++28TmoysTHAbO/WZP2HeZRwR9QCBlI6Zi7KTx3c/Yppdi58qSPehjSg97B
0vh9Q1L742GPXarmwf0a/YjNuHmyFcquqdrlT9mLYoVrowpYGPsgFSHUCuM2CfyE
Ig3jbBi4C5kWEPwZJVYhhFiN+mzLkpuf1XAOr2sA31ctBXdv2vJO8i4kWyRnJfpp
u5b2EYYk6YyONwCYEmhh5EddWIo0e55MGN4j9Tx1BCUHV709DULyPnFYaqko1y89
lg4hSFQni7088nFPuUrscrN+VlkxlUs5gbBUttJDJ9jLS1N/beD1NaYgfzRTO741
axrIJqzhNL2zHFUiqTYH
=Q/pQ
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to