[Python-modules-team] Bug#736247: marked as done (python-xdg: get_runtime_dir(strict=False): insecure use of /tmp (CVE-2014-1624))

Mon, 27 Jan 2014 10:48:45 -0800 

Your message dated Mon, 27 Jan 2014 18:45:16 +0000
with message-id <[email protected]>
and subject line Bug#736247: fixed in pyxdg 0.25-4
has caused the Debian Bug report #736247,
regarding python-xdg: get_runtime_dir(strict=False): insecure use of /tmp 
(CVE-2014-1624)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
736247: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736247
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: python-xdg
Version: 0.25-3
Severity: important
Tags: security
xdg.BaseDirectory.get_runtime_dir(strict=False) is prone to symlink attacks. A malicious local user could do the following:
1) Create symlink /tmp/pyxdg-runtime-dir-fallback-victim, pointing to a directory owned by the victim, say /home/victim.
2) Wait until the victim calls get_runtime_dir(strict=False), which succeeds and returns "/tmp/pyxdg-runtime-dir-fallback-victim". 

3) Switch the symlink to point to a directory of their choice.

--
Jakub Wilk

--- End Message ---
--- Begin Message --- 
Source: pyxdg
Source-Version: 0.25-4

We believe that the bug you reported is fixed in the latest version of
pyxdg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrew Starr-Bochicchio <[email protected]> (supplier of updated pyxdg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 27 Jan 2014 13:11:18 -0500
Source: pyxdg
Binary: python-xdg python3-xdg
Architecture: source all
Version: 0.25-4
Distribution: unstable
Urgency: high
Maintainer: Debian Python Modules Team 
<[email protected]>
Changed-By: Andrew Starr-Bochicchio <[email protected]>
Description: 
 python-xdg - Python 2 library to access freedesktop.org standards
 python3-xdg - Python 3 library to access freedesktop.org standards
Closes: 736247
Changes: 
 pyxdg (0.25-4) unstable; urgency=high
 .
   * Backport upstream patch that fixes the insecure use
     of /tmp in xdg.BaseDirectory.get_runtime_dir(strict=False)
     (Closes: #736247). Fixes CVE-2014-1624.
   * Bump Standards-Version to 3.9.5, no changes needed.
Checksums-Sha1: 
 deb47c02ca8ac2492e5acd46ede34e771d2650bb 2158 pyxdg_0.25-4.dsc
 89dbb325febd1eeb6ca8dcb604546e433882c093 7540 pyxdg_0.25-4.debian.tar.xz
 78ca5512a75cb0a8dd87ad8a0c358209eb1c3a96 35830 python-xdg_0.25-4_all.deb
 928cf1f896d07ab64f4121ede4cbb8c2f8f498e3 35704 python3-xdg_0.25-4_all.deb
Checksums-Sha256: 
 48d2f0d114f4301553e6f7d2e8d3a363bd3e87301b76a5b7da0b8b0e9ba81676 2158 
pyxdg_0.25-4.dsc
 9e5e910cfed45b24d84333822942c3a5cd7789edd7faa42d63e2a74c6362ae8a 7540 
pyxdg_0.25-4.debian.tar.xz
 bf411749871920adad44baef60e4473b7ea78f752d2b5a3c39fb4a4cf56b6428 35830 
python-xdg_0.25-4_all.deb
 a02a51a926db694dc1d13a219d0bb79895b0bd4121ebb72cc4a8f3a70386d248 35704 
python3-xdg_0.25-4_all.deb
Files: 
 bce67d13c311d00c421d8902da253a9c 2158 python optional pyxdg_0.25-4.dsc
 4aec393f4147f38ef6703cb7ea3537ee 7540 python optional 
pyxdg_0.25-4.debian.tar.xz
 a3886d34a2f1476c78b1885a49dd27f2 35830 python optional 
python-xdg_0.25-4_all.deb
 731ab56dffb234558a53b306ce3cad05 35704 python optional 
python3-xdg_0.25-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCAAGBQJS5qMLAAoJEDtW4rvVP9yxbfUP/imZcUvAxZvtq4ky5vyxKcjd
fDinjL/kU0PtYXhQqFC+voa5+WdCGLAdomoq0n/j13zHjJbuQk641pL2jGM6UPgh
H2f0/GTgakT0UsrcYAABNXoUGhScKRqftdOjq7rRVDC7D1GBSLsxi1HwjQnU4Xy7
Pv/X60aZA+t8oB1qivzpTDsXeyMRqS9diBMtBol+plzz3Jlo6H57/X27JdTSBWWk
borIFH1IJQO+b2k41QYJdSTekbxTrEF3ZJcnrnrrEOejXb0Sn/OmVClGcNfBRHlO
+2rqIZgE34XMOSSiVZkzBWdBNKqm/gYTYnm2CDxNHoxPeUCx7Va5e/mI3aD7JCCB
idrJoHXADEVd/V0n6lgvawGnRYlU4fQHSc/9fmdBbame4uUBbTNVysDkW9DtmdfB
mnaVpaPVXUexFxykwealW8aqBgDSP4OeQ/lWF6Gna+rF6JdHPhFFdIy4m0LHh4DY
EqqOwEYwJsTMWznOeGNDDwqUGB4uBo5n8okVk4IJAeGGZpfaY3bRvyAf/39GpIyu
+QbMr/1n+1u4xJNn+96POq3pD2uWLGdnzOpEtUZEvUYPcvxdLBXkH9JQ7u/axa+n
cmkPOe8t1x2/rmSw7kTDp/40Y9gNEA4y6OJ08xMsvkEmgf0jMLQhOq9jq1Z3OSJS
QveQNzcYIuGfGezfoU4H
=AkMO
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team

Reply via email to