Your message dated Mon, 20 Oct 2008 19:02:17 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#493937: fixed in vim 2:7.2.025-2 has caused the Debian Bug report #493937, regarding bicyclerepair: bike.vim imports untrusted python files from cwd to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 493937: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493937 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: bicyclerepair Version: 0.9-4.1 Severity: critical Tags: security Justification: root security hole # pwd /tmp/roundup-1.3.3/roundup # vim /tmp/whatever Error detected while processing /usr/share/vim/addons/plugin/bike.vim: line 110: Traceback (most recent call last): File "<string>", line 6, in ? File "/usr/lib/python2.4/site-packages/bike/__init__.py", line 10, in ? from bikefacade import init, NotAPythonModuleOrPackageException, CouldntLoca teASTNodeFromCoordinatesException, UndoStackEmptyException File "/usr/lib/python2.4/site-packages/bike/bikefacade.py", line 3, in ? import compiler File "__init__.py", line 24, in ? File "compiler/transformer.py", line 1348, in ? AttributeError: 'module' object has no attribute 'LESS' Press ENTER or type command to continue bicyclerepair contains /usr/share/vim/addons/plugin/bike.vim which is automatically executed, at least in etch. I don't know about lenny/sid, see #464817 (bicyclerepair: Conform with Vim addon policy) It imports (i.e. runs) python code it finds in the current working directory, in my example from the extracted roundup tarball. I set Severity to "critical" instead of "grave", because the user who reported the traceback to me on a multi-user system does not use bicyclerepair, but just vim. Reportbug forced me to set "root security hole", because everyone using vim is affected (including root) and the Justification 5 "unknown / something else" would downgrade the Severity to "normal". The description for "grave" said, that it only applies if the security problem affects people actually using the package. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.24.3-id1-k8-2 Locale: LANG=en_US, [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages bicyclerepair depends on: ii python 2.4.4-2 An interactive high-level object-o ii python-central 0.5.12 register and build utility for Pyt bicyclerepair recommends no packages. -- no debconf information -- [EMAIL PROTECTED] - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A Intevation GmbH, Osnabrueck - Register: Amtsgericht Osnabrueck, HR B 18998 Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
--- End Message ---
--- Begin Message ---Source: vim Source-Version: 2:7.2.025-2 We believe that the bug you reported is fixed in the latest version of vim, which is due to be installed in the Debian FTP archive: vim-common_7.2.025-2_i386.deb to pool/main/v/vim/vim-common_7.2.025-2_i386.deb vim-dbg_7.2.025-2_i386.deb to pool/main/v/vim/vim-dbg_7.2.025-2_i386.deb vim-doc_7.2.025-2_all.deb to pool/main/v/vim/vim-doc_7.2.025-2_all.deb vim-full_7.2.025-2_all.deb to pool/main/v/vim/vim-full_7.2.025-2_all.deb vim-gnome_7.2.025-2_i386.deb to pool/main/v/vim/vim-gnome_7.2.025-2_i386.deb vim-gtk_7.2.025-2_i386.deb to pool/main/v/vim/vim-gtk_7.2.025-2_i386.deb vim-gui-common_7.2.025-2_all.deb to pool/main/v/vim/vim-gui-common_7.2.025-2_all.deb vim-lesstif_7.2.025-2_i386.deb to pool/main/v/vim/vim-lesstif_7.2.025-2_i386.deb vim-nox_7.2.025-2_i386.deb to pool/main/v/vim/vim-nox_7.2.025-2_i386.deb vim-perl_7.2.025-2_all.deb to pool/main/v/vim/vim-perl_7.2.025-2_all.deb vim-python_7.2.025-2_all.deb to pool/main/v/vim/vim-python_7.2.025-2_all.deb vim-ruby_7.2.025-2_all.deb to pool/main/v/vim/vim-ruby_7.2.025-2_all.deb vim-runtime_7.2.025-2_all.deb to pool/main/v/vim/vim-runtime_7.2.025-2_all.deb vim-tcl_7.2.025-2_all.deb to pool/main/v/vim/vim-tcl_7.2.025-2_all.deb vim-tiny_7.2.025-2_i386.deb to pool/main/v/vim/vim-tiny_7.2.025-2_i386.deb vim_7.2.025-2.diff.gz to pool/main/v/vim/vim_7.2.025-2.diff.gz vim_7.2.025-2.dsc to pool/main/v/vim/vim_7.2.025-2.dsc vim_7.2.025-2_i386.deb to pool/main/v/vim/vim_7.2.025-2_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Vega <[EMAIL PROTECTED]> (supplier of updated vim package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 20 Oct 2008 12:13:42 -0400 Source: vim Binary: vim-common vim-gui-common vim-runtime vim-doc vim-tiny vim vim-dbg vim-perl vim-python vim-ruby vim-tcl vim-gtk vim-nox vim-lesstif vim-gnome vim-full Architecture: source i386 all Version: 2:7.2.025-2 Distribution: unstable Urgency: low Maintainer: Debian Vim Maintainers <[EMAIL PROTECTED]> Changed-By: James Vega <[EMAIL PROTECTED]> Description: vim - Vi IMproved - enhanced vi editor vim-common - Vi IMproved - Common files vim-dbg - Vi IMproved - enhanced vi editor (debugging symbols) vim-doc - Vi IMproved - HTML documentation vim-full - Vi IMproved - enhanced vi editor (transitional package) vim-gnome - Vi IMproved - enhanced vi editor - with GNOME2 GUI vim-gtk - Vi IMproved - enhanced vi editor - with GTK2 GUI vim-gui-common - Vi IMproved - Common GUI files vim-lesstif - Vi IMproved - enhanced vi editor - with LessTif GUI vim-nox - Vi IMproved - enhanced vi editor vim-perl - Vi IMproved - enhanced vi editor (transitional package) vim-python - Vi IMproved - enhanced vi editor (transitional package) vim-ruby - Vi IMproved - enhanced vi editor (transitional package) vim-runtime - Vi IMproved - Runtime files vim-tcl - Vi IMproved - enhanced vi editor (transitional package) vim-tiny - Vi IMproved - enhanced vi editor - compact version Closes: 493937 Changes: vim (2:7.2.025-2) unstable; urgency=low . * Remove "deprecated" warnings about (g)vimrc.local from /etc/vim/(g)vimrc. * src/if_python.c: Strip empty directories from Python's sys.path to prevent Vim from using its current working directory as a module import path. (Closes: #493937) * debian/rules: Do not run tests in parallel as that may interfere with their results. Checksums-Sha1: dda410dc07b745a19890dcd6d69855ade2bd6e0b 1703 vim_7.2.025-2.dsc 669a1bfc2b87af2da9e707658c433ddb7602e302 181366 vim_7.2.025-2.diff.gz 7607c3d270cc3079c01f3c2d872aa17d6adab10a 999454 vim-gtk_7.2.025-2_i386.deb 5d70f61c74e7e9b553c8449d47395e529549a146 1000972 vim-gnome_7.2.025-2_i386.deb f980c2944b50ad5ddd880ca2dba5ac6ddf83a8c7 868240 vim-nox_7.2.025-2_i386.deb b4a6667661a6826d088828424f05833acba89d0b 335102 vim-tiny_7.2.025-2_i386.deb 1a356a17194a54d6653dc652293f736228e869ea 201310 vim-common_7.2.025-2_i386.deb 17c97809b5a2bb5c68081775f294c315902d8995 781354 vim_7.2.025-2_i386.deb ac3e534cf90342f15826198035a5bec9462a794f 991844 vim-lesstif_7.2.025-2_i386.deb d15795017edac0dd7fd9b2909d7674327529700c 8417042 vim-dbg_7.2.025-2_i386.deb 4749b4b8e8c89d2e956a1ce1e0eca3fffcb84f34 161718 vim-gui-common_7.2.025-2_all.deb feeeb56269f738fba476b5c378da5ce2032e0186 5991996 vim-runtime_7.2.025-2_all.deb b79fa1d43af98a010bf252b345ed42fd3758e3fe 1971726 vim-doc_7.2.025-2_all.deb 42379cda62025d160596b9efd696d8935b42b0f6 77526 vim-perl_7.2.025-2_all.deb 8e8a69b939fac74f62a5f7a0dbed5d5262c01eb4 77536 vim-python_7.2.025-2_all.deb fb932d0963189653d5d9db3f050cea1d398d2c74 77528 vim-ruby_7.2.025-2_all.deb ad60edf25ffab71b9ed04246df7e3b9f0f55f92e 77528 vim-tcl_7.2.025-2_all.deb 135fe7d4453d9ec9f0331bba0037d7bfa28e88b2 77548 vim-full_7.2.025-2_all.deb Checksums-Sha256: 63aa66292caa640121478bf5a985da9bfad7938d87ba529e844ec1245757160b 1703 vim_7.2.025-2.dsc fd4239a9740eba3f699780f47777c6a05b6ede43a9062a88fd4a9212498fd4f7 181366 vim_7.2.025-2.diff.gz 2974a7ef5bd154faf4ffa40546fdc9dc557361b19a48f2059a24179a71b7cffe 999454 vim-gtk_7.2.025-2_i386.deb b3dd66993389fdf8485476fcf2332006403efe121c87d8a3309a04940ea00de2 1000972 vim-gnome_7.2.025-2_i386.deb 639afda0ce1a3f9487a070f707f0464c44405a78324d2d00319efb08b7ba747b 868240 vim-nox_7.2.025-2_i386.deb 69776dacc8cc56f84f99a6ff56e82f9acde18349d2bf10b8f97de0589287ff12 335102 vim-tiny_7.2.025-2_i386.deb 5ed97a57cbd2d3a722326076a08c947afa439691f012037c6cb8a1a0dcedc235 201310 vim-common_7.2.025-2_i386.deb 5136a9de4cd9ea63a50673e5c6b13dce82fef8c2bd390070b79060491023fd70 781354 vim_7.2.025-2_i386.deb 15873ceb2e3d960829b24c84558966a41dcc2cdeffda0f7dc9af8c6dd535a96e 991844 vim-lesstif_7.2.025-2_i386.deb dc36fe008ea662b428532ea89dca88f82a022e82abce1f1a118f8d77cd3c2981 8417042 vim-dbg_7.2.025-2_i386.deb fabbb695df7e449d69e41b90717817b4146dfe571bf0e178e9c707574059403f 161718 vim-gui-common_7.2.025-2_all.deb 62cb2f32bede91d9a94956915ffd211f3aebeff54192cbd84e3de520a50eb279 5991996 vim-runtime_7.2.025-2_all.deb b13d8efb0596b4513a8687b53829634b11f6ff7e63ad840c38fccf7c29e46250 1971726 vim-doc_7.2.025-2_all.deb 299e67262cd9d226177ce595ba285757638e7c3b319dbb35e246c0538282ed77 77526 vim-perl_7.2.025-2_all.deb 50ad687b0fe4ab8e98d70a13d96d829102cdd44775187c01835060deb6de8a7e 77536 vim-python_7.2.025-2_all.deb d54153f3277b753c0e04975b868f90003945812c8b5da28a970a883f89769a12 77528 vim-ruby_7.2.025-2_all.deb 60db22487a3d3f7ab5d0c7a5392d35ab660e5f832ff590b9a4c4a21b3f6faf2f 77528 vim-tcl_7.2.025-2_all.deb 5a30126d0e534a35e18952822c23c9bf9f745f64c595688c5f525ffa72422dfe 77548 vim-full_7.2.025-2_all.deb Files: a1dcda8a537ddc1d0eff71b372075394 1703 editors optional vim_7.2.025-2.dsc 2cd03a6827cb9694529312db77f54a82 181366 editors optional vim_7.2.025-2.diff.gz d7ab5da374ccc2b0dba80796270949c8 999454 editors extra vim-gtk_7.2.025-2_i386.deb 8d1a5a9334e258648dfe07c93d0b32e6 1000972 editors extra vim-gnome_7.2.025-2_i386.deb 8e63582e4bb0057feffaa36958a9d631 868240 editors extra vim-nox_7.2.025-2_i386.deb 213262ad35ebb1ef22dfd238f83b317f 335102 editors important vim-tiny_7.2.025-2_i386.deb 96ad1405867376e1392a830679dfee12 201310 editors important vim-common_7.2.025-2_i386.deb 9f426dac179d3872e969a3f601d9d957 781354 editors optional vim_7.2.025-2_i386.deb 3adfdb41e47950d918cede6553d29128 991844 editors extra vim-lesstif_7.2.025-2_i386.deb 7d2b5bbdaa0caed837e40fe39b643dc6 8417042 editors extra vim-dbg_7.2.025-2_i386.deb c36b7766e7311e39a4fef5e2afe8089b 161718 editors optional vim-gui-common_7.2.025-2_all.deb 9d5ae3e8b1aaa263bd3fb6614854f01c 5991996 editors optional vim-runtime_7.2.025-2_all.deb b0eee745f0accc7a2113eb0bf4abca46 1971726 doc optional vim-doc_7.2.025-2_all.deb a4cc106429883e27122546671c908a06 77526 editors extra vim-perl_7.2.025-2_all.deb d0524d1a80791288d4400ffc3ca862d1 77536 editors extra vim-python_7.2.025-2_all.deb b48b4125a532852b126513b10ffebddc 77528 editors extra vim-ruby_7.2.025-2_all.deb 5ff0de8c6f1ff2ac43940dff341d1453 77528 editors extra vim-tcl_7.2.025-2_all.deb ec95cc52923a9f2d9de7ed9d8f3ae108 77548 editors extra vim-full_7.2.025-2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkj8zjgACgkQDb3UpmEybUDojgCfWOs3YJZ/r+12JXo7W2r8a8QR vl0An0mmDMeISARwm5GNPak3e4wLEGWs =89Oc -----END PGP SIGNATURE-----
--- End Message ---
