[Python-modules-team] Bug#786858: [CVE-2015-1326] python-dbusmock: arbitrary code execution or file overwrite when templates are loaded from /tmp

Martin Pitt mpitt at debian.org
Tue May 26 07:19:02 UTC 2015


Package: python3-dbusmock
Version: 0.11.4-1
Tags: patch

Forwarding mail to security team as a bug, as Salvatore Bonaccorso
prefers handling this via a stable update.


Simon McVittie found a potentially exploitable bug with loading custom
dbusmock templates: When a user is tricked into loading a template
from a world-writable directory like /tmp, an attacker could run
arbitrary code with the user's privileges by putting a crafted .pyc
file into that directory.

Note that this is highly unlikely to actually appear in practice
as custom dbusmock templates are usually shipped in project
directories, not directly in world-writable directories. Hence we
decided to immediately make this bug public and don't aim for a
coordinated release date.

Original bug report with the details: https://launchpad.net/bugs/1453815

CVE-2015-1326
Upstream fix: https://github.com/martinpitt/python-dbusmock/commit/4e7d0df9093
              (included in 0.15.1 upstream release)
unstable: fixed in 0.15.1-1 which I just uploaded
oldstable: not affected, python-dbusmock has only existed since jessie

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20150526/8655428b/attachment.sig>


More information about the Python-modules-team mailing list