On Thu, 2019-10-17 at 13:33 +0200, Hugo Lefeuvre wrote: > Could you provide some more information related to this > vulnerability? an isolated patch would be ideal.
I've uploaded pam-python_1.0.6-1.1+deb9u1 for stretch which contains just the changes you need. The patch is attached. Now I've got pbuilder doing what I want for stretch it shouldn't be difficult to to prepare a pam-python_1.0.4-1.1+deb8u1 for Jessie, if that helps. The one difficulty is I don't know where to dput it.
Description: Backport of fix for cve-2019-16729.dpatch from 1.0.7. Applied-Upstream: 1.0.7. Origin: vendor, https://sourceforge.net/p/pam-python/code/ci/0247ab687b4347cc52859ca461fb0126dd7e2ebe/ --- a/src/pam_python.c +++ b/src/pam_python.c @@ -85,6 +85,11 @@ static void initialise_python(void) { #if PY_MAJOR_VERSION*100 + PY_MINOR_VERSION >= 204 + Py_DontWriteBytecodeFlag = 1; + Py_IgnoreEnvironmentFlag = 1; + /* Py_IsolatedFlag = 1; Python3 only */ + Py_NoSiteFlag = 1; + Py_NoUserSiteDirectory = 1; Py_InitializeEx(0); #else size_t signum; @@ -2226,7 +2231,7 @@ goto error_exit; } dot = strrchr(user_module_name, '.'); - if (dot != 0 || strcmp(dot, ".py") == 0) + if (dot != 0 && strcmp(dot, ".py") == 0) *dot = '\0'; *user_module = PyModule_New(user_module_name); if (*user_module == 0)
signature.asc
Description: This is a digitally signed message part