Your message dated Fri, 17 Oct 2008 21:02:41 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#493937: fixed in vim 1:7.1.314-3+lenny2 has caused the Debian Bug report #493937, regarding bicyclerepair: bike.vim imports untrusted python files from cwd to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 493937: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493937 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: bicyclerepair Version: 0.9-4.1 Severity: critical Tags: security Justification: root security hole # pwd /tmp/roundup-1.3.3/roundup # vim /tmp/whatever Error detected while processing /usr/share/vim/addons/plugin/bike.vim: line 110: Traceback (most recent call last): File "<string>", line 6, in ? File "/usr/lib/python2.4/site-packages/bike/__init__.py", line 10, in ? from bikefacade import init, NotAPythonModuleOrPackageException, CouldntLoca teASTNodeFromCoordinatesException, UndoStackEmptyException File "/usr/lib/python2.4/site-packages/bike/bikefacade.py", line 3, in ? import compiler File "__init__.py", line 24, in ? File "compiler/transformer.py", line 1348, in ? AttributeError: 'module' object has no attribute 'LESS' Press ENTER or type command to continue bicyclerepair contains /usr/share/vim/addons/plugin/bike.vim which is automatically executed, at least in etch. I don't know about lenny/sid, see #464817 (bicyclerepair: Conform with Vim addon policy) It imports (i.e. runs) python code it finds in the current working directory, in my example from the extracted roundup tarball. I set Severity to "critical" instead of "grave", because the user who reported the traceback to me on a multi-user system does not use bicyclerepair, but just vim. Reportbug forced me to set "root security hole", because everyone using vim is affected (including root) and the Justification 5 "unknown / something else" would downgrade the Severity to "normal". The description for "grave" said, that it only applies if the security problem affects people actually using the package. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.24.3-id1-k8-2 Locale: LANG=en_US, [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages bicyclerepair depends on: ii python 2.4.4-2 An interactive high-level object-o ii python-central 0.5.12 register and build utility for Pyt bicyclerepair recommends no packages. -- no debconf information -- [EMAIL PROTECTED] - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A Intevation GmbH, Osnabrueck - Register: Amtsgericht Osnabrueck, HR B 18998 Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
--- End Message ---
--- Begin Message ---Source: vim Source-Version: 1:7.1.314-3+lenny2 We believe that the bug you reported is fixed in the latest version of vim, which is due to be installed in the Debian FTP archive: vim-common_7.1.314-3+lenny2_i386.deb to pool/main/v/vim/vim-common_7.1.314-3+lenny2_i386.deb vim-dbg_7.1.314-3+lenny2_i386.deb to pool/main/v/vim/vim-dbg_7.1.314-3+lenny2_i386.deb vim-doc_7.1.314-3+lenny2_all.deb to pool/main/v/vim/vim-doc_7.1.314-3+lenny2_all.deb vim-full_7.1.314-3+lenny2_all.deb to pool/main/v/vim/vim-full_7.1.314-3+lenny2_all.deb vim-gnome_7.1.314-3+lenny2_i386.deb to pool/main/v/vim/vim-gnome_7.1.314-3+lenny2_i386.deb vim-gtk_7.1.314-3+lenny2_i386.deb to pool/main/v/vim/vim-gtk_7.1.314-3+lenny2_i386.deb vim-gui-common_7.1.314-3+lenny2_all.deb to pool/main/v/vim/vim-gui-common_7.1.314-3+lenny2_all.deb vim-lesstif_7.1.314-3+lenny2_i386.deb to pool/main/v/vim/vim-lesstif_7.1.314-3+lenny2_i386.deb vim-nox_7.1.314-3+lenny2_i386.deb to pool/main/v/vim/vim-nox_7.1.314-3+lenny2_i386.deb vim-perl_7.1.314-3+lenny2_all.deb to pool/main/v/vim/vim-perl_7.1.314-3+lenny2_all.deb vim-python_7.1.314-3+lenny2_all.deb to pool/main/v/vim/vim-python_7.1.314-3+lenny2_all.deb vim-ruby_7.1.314-3+lenny2_all.deb to pool/main/v/vim/vim-ruby_7.1.314-3+lenny2_all.deb vim-runtime_7.1.314-3+lenny2_all.deb to pool/main/v/vim/vim-runtime_7.1.314-3+lenny2_all.deb vim-tcl_7.1.314-3+lenny2_all.deb to pool/main/v/vim/vim-tcl_7.1.314-3+lenny2_all.deb vim-tiny_7.1.314-3+lenny2_i386.deb to pool/main/v/vim/vim-tiny_7.1.314-3+lenny2_i386.deb vim_7.1.314-3+lenny2.diff.gz to pool/main/v/vim/vim_7.1.314-3+lenny2.diff.gz vim_7.1.314-3+lenny2.dsc to pool/main/v/vim/vim_7.1.314-3+lenny2.dsc vim_7.1.314-3+lenny2_i386.deb to pool/main/v/vim/vim_7.1.314-3+lenny2_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Vega <[EMAIL PROTECTED]> (supplier of updated vim package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 17 Oct 2008 10:58:00 -0400 Source: vim Binary: vim-common vim-gui-common vim-runtime vim-doc vim-tiny vim vim-dbg vim-perl vim-python vim-ruby vim-tcl vim-gtk vim-nox vim-lesstif vim-gnome vim-full Architecture: source all i386 Version: 1:7.1.314-3+lenny2 Distribution: testing-proposed-updates Urgency: low Maintainer: Debian Vim Maintainers <[EMAIL PROTECTED]> Changed-By: James Vega <[EMAIL PROTECTED]> Description: vim - Vi IMproved - enhanced vi editor vim-common - Vi IMproved - Common files vim-dbg - Vi IMproved - enhanced vi editor (debugging symbols) vim-doc - Vi IMproved - HTML documentation vim-full - Vi IMproved - enhanced vi editor (transitional package) vim-gnome - Vi IMproved - enhanced vi editor - with GNOME2 GUI vim-gtk - Vi IMproved - enhanced vi editor - with GTK2 GUI vim-gui-common - Vi IMproved - Common GUI files vim-lesstif - Vi IMproved - enhanced vi editor - with LessTif GUI vim-nox - Vi IMproved - enhanced vi editor vim-perl - Vi IMproved - enhanced vi editor (transitional package) vim-python - Vi IMproved - enhanced vi editor (transitional package) vim-ruby - Vi IMproved - enhanced vi editor (transitional package) vim-runtime - Vi IMproved - Runtime files vim-tcl - Vi IMproved - enhanced vi editor (transitional package) vim-tiny - Vi IMproved - enhanced vi editor - compact version Closes: 493937 Changes: vim (1:7.1.314-3+lenny2) testing-proposed-updates; urgency=low . * src/if_python.c: Strip empty directories from Python's sys.path to prevent Vim from using its current working directory as a module import path. (Closes: #493937) Checksums-Sha1: e1eb91d7c003dbca7a80d486dc66d3ca817990f4 1726 vim_7.1.314-3+lenny2.dsc 3dd0b8aebbac4e4a1cc70c4a673d1b088965ccde 378498 vim_7.1.314-3+lenny2.diff.gz 3cf7c4f2c8358c61563586e1cb5031bc3aeb873c 159836 vim-gui-common_7.1.314-3+lenny2_all.deb 304c785e2c34a21bb38d0f29165700ed4e06bbcb 5594756 vim-runtime_7.1.314-3+lenny2_all.deb 307bf72162291a4afc1b2276cda0f055069f4069 2151992 vim-doc_7.1.314-3+lenny2_all.deb c70e748a649ecf3a423ff19a999900fc4ee1b91b 75312 vim-perl_7.1.314-3+lenny2_all.deb 9705fa3fe512aab99e6c1098fd0d7ba831c981d8 75318 vim-python_7.1.314-3+lenny2_all.deb be476f34e1e7cde3c79523bb4c4d9cc346a433dc 75314 vim-ruby_7.1.314-3+lenny2_all.deb 44b237673263a5c8f3d1b405434f93fe62d16da3 75310 vim-tcl_7.1.314-3+lenny2_all.deb 29e2cfd11b7ed0dd946958f47db041e909fd3395 75344 vim-full_7.1.314-3+lenny2_all.deb 80da23bb7394e5543201690af3c8845e58576d3e 334966 vim-tiny_7.1.314-3+lenny2_i386.deb 17c1cf84016536d49098409094777a9ac27588dd 994194 vim-gtk_7.1.314-3+lenny2_i386.deb 6d90a9dfb631d8f4a21b9c59eecb0c5c7e881bce 996140 vim-gnome_7.1.314-3+lenny2_i386.deb 4ec7e36283b596d2764a322ce7758114b7030a15 986582 vim-lesstif_7.1.314-3+lenny2_i386.deb 099124132d1a4ad6530471d1d152d074722c8d6d 863142 vim-nox_7.1.314-3+lenny2_i386.deb 85f33faf19141a2c90b8ffed4e8d9f5a5001a6d2 208160 vim-common_7.1.314-3+lenny2_i386.deb 8ebebf40b542cf909c62c2b88785d22c07f289c1 776664 vim_7.1.314-3+lenny2_i386.deb ee3ab387145da9a367f7947cca1d1be2095191c8 8381078 vim-dbg_7.1.314-3+lenny2_i386.deb Checksums-Sha256: 64e1caa7078c871fe47300bdda79407a8be04812dccd527144593054b644578f 1726 vim_7.1.314-3+lenny2.dsc dcf59e4e9f306115794a6fbf18fccc04a999abb8300c418db816c3a30df16864 378498 vim_7.1.314-3+lenny2.diff.gz a247beec34fbf6f276c5e9142944dd0a085c67df3d73f07dc0cb54fba04cf7cf 159836 vim-gui-common_7.1.314-3+lenny2_all.deb 4f34be554c01848ed2b00f60efe2d8cc213ad619c78f25689c3702048b838e09 5594756 vim-runtime_7.1.314-3+lenny2_all.deb d7d3dd532648f7c32bc1c50e0e1a4270753b933e7b02d1f282b2c3550a2361a5 2151992 vim-doc_7.1.314-3+lenny2_all.deb 50b47d8f8020ba4d6904c9716174c4f31e11d40a0dfa9066a8b502d5c864e4a5 75312 vim-perl_7.1.314-3+lenny2_all.deb 089c633e396fe48b0e4832f9b4dc7a9d63ad22cc32741b7fbd5bb4805c8a9d4e 75318 vim-python_7.1.314-3+lenny2_all.deb 6b89f454a0781120ecdb0a201fae09af025541037ebe5cb9568418f148627c6d 75314 vim-ruby_7.1.314-3+lenny2_all.deb 4f0249094451003079cfc8e176751d72746e5bf6da29dfb87e838852123c8c0d 75310 vim-tcl_7.1.314-3+lenny2_all.deb 199666191bd5400ab14d7d3da69f8392da4733ac83c70ed517291506493361eb 75344 vim-full_7.1.314-3+lenny2_all.deb da77cea0152fe86f784413dad1449f2b8912a10fac9e1265d8b3caa087d0b5f9 334966 vim-tiny_7.1.314-3+lenny2_i386.deb 54cb69e0323d4729b1bdb6fc964b60a4d9503a18521b652ef20a3f11b0a78917 994194 vim-gtk_7.1.314-3+lenny2_i386.deb e4803c1118edb108529018c308abcb7c15e836670484cc3f3a92e2f46bcd3fc5 996140 vim-gnome_7.1.314-3+lenny2_i386.deb 333416512585a9da0c05e0da76b80fd3cc99de872f3bc6880d842354aea0941c 986582 vim-lesstif_7.1.314-3+lenny2_i386.deb d84a1d9441d2bade2553c4e2d7389d49e17df7eb34fbc75ba635edafdc16197f 863142 vim-nox_7.1.314-3+lenny2_i386.deb 4589f84fbd84ba01746c828ef8375e27c0963de13a6e88ac28f3556e9bb3ef68 208160 vim-common_7.1.314-3+lenny2_i386.deb 6c896ce4a6ecf8814b339029847f94cf8ab32f53db7787c7d742a929480e228b 776664 vim_7.1.314-3+lenny2_i386.deb fa3b723c69331f539204595418a62e5caff2c5ebb6899f94a785ec775d1d3e8c 8381078 vim-dbg_7.1.314-3+lenny2_i386.deb Files: 710afba1b97650cf657e6965c9c0f7cc 1726 editors optional vim_7.1.314-3+lenny2.dsc ed6a94bf841c30bc4d7b39477df133cf 378498 editors optional vim_7.1.314-3+lenny2.diff.gz b4a0105bbdcc9de7749b2600ce9abf11 159836 editors optional vim-gui-common_7.1.314-3+lenny2_all.deb 76b98e261d7034b47ed6a3fcb77718d6 5594756 editors optional vim-runtime_7.1.314-3+lenny2_all.deb af2015c9671b4a7e89eefb96302d02d6 2151992 doc optional vim-doc_7.1.314-3+lenny2_all.deb c502b71fdbdb9ace25f476dc259c1d4d 75312 editors extra vim-perl_7.1.314-3+lenny2_all.deb 82c36481cafc07118e1ec09feb13798e 75318 editors extra vim-python_7.1.314-3+lenny2_all.deb 037290fb800b7c6a05d4b69ed43f4ac8 75314 editors extra vim-ruby_7.1.314-3+lenny2_all.deb 737a051974a3d1b3c23645dc660da48e 75310 editors extra vim-tcl_7.1.314-3+lenny2_all.deb 3fb1ce09f8b97c7f706594358ae7513f 75344 editors extra vim-full_7.1.314-3+lenny2_all.deb f8a80e3e89bb4e1d9f6c5ed1bcda119a 334966 editors important vim-tiny_7.1.314-3+lenny2_i386.deb 4f8291738a7ce8cf445b3afac264904d 994194 editors extra vim-gtk_7.1.314-3+lenny2_i386.deb b1b9fdd93026c9c2f2e610807167020a 996140 editors extra vim-gnome_7.1.314-3+lenny2_i386.deb 6d32ae98d91f5ec679e3f824d6859b8d 986582 editors extra vim-lesstif_7.1.314-3+lenny2_i386.deb 977419a826de800ce79a38cc91ce57a5 863142 editors extra vim-nox_7.1.314-3+lenny2_i386.deb 2673594ec9851f4a18c6c7894afb1abe 208160 editors important vim-common_7.1.314-3+lenny2_i386.deb dd63be51e8deddf6425341aaa5f88ef5 776664 editors optional vim_7.1.314-3+lenny2_i386.deb 720ca4bac095e296a0ccaa4660d24202 8381078 editors extra vim-dbg_7.1.314-3+lenny2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkj43zgACgkQDb3UpmEybUD5vACbBgsXprqPXS3KviBfAD/7CsBI obgAnRac282VshUbDcl4PgrmAAEXPDXi =QMsa -----END PGP SIGNATURE-----
--- End Message ---
