[Pkg-privacy-maintainers] Bug#858058: mat: "Clean metadata" contextual menu silently fails
intrigeri
intrigeri at debian.org
Sat Mar 18 08:59:23 UTC 2017
Control: user tails-dev at boum.org
Control: usertag -1 + misc-reported
Control: usertag -1 + for-stretch
Hi,
sajolida:
> Steps to reproduce in GNOME:
Good catch, thanks! Reproduced on current sid. The Journal tells me:
org.gnome.Nautilus[5383]: Traceback (most recent call last):
org.gnome.Nautilus[5383]: File "/usr/share/nautilus-python/extensions/nautilus-mat.py", line 80, in menu_activate_cb
org.gnome.Nautilus[5383]: if file.is_gone():
org.gnome.Nautilus[5383]: AttributeError: type object 'file' has no attribute 'is_gone'
The root cause of the problem seems obvious to me, and I'm working on
a fix upstream as we speak.
> I'm flagging this as "important" for the time being but I think that
> it's a serious security issue since people might got use to clean
> metadata from backup file in comparison with the version in Jessie. So,
> in my opinion, and if I understood correctly, this renders MAT useless
> for probably most of its actual uses.
It's not obvious to me that most MAT users use it via the Nautilus
contextual menu: the package also provides a CLI and a GUI, and not
everyone uses GNOME and Nautilus. So I'm a bit unsure about bumping
the severity to RC.
Now, on the grounds that it's a very real security issue, I will
definitely handle this with high priority (ensure 1. the new upstream
maintainer requests a CVE; 2. this is fixed in Stretch; 3.
counter-measures are put in place upstream and in Debian so this kind
of issues never lands into a released package anymore).
Cheers,
--
intrigeri
More information about the Pkg-privacy-maintainers
mailing list