severity 484305 grave thanks Hi Thomas, * Thomas Arendsen Hein <[EMAIL PROTECTED]> [2008-07-06 22:53]: > * Steffen Joeris <[EMAIL PROTECTED]> [20080706 11:15]: > > severity 484305 important > > thanks > > Please do not downgrade severity without providing a reason.
"critical makes unrelated software on the system (or the whole system) break, or causes serious data loss, or introduces a security hole on systems where you install the package." I had a look at the issue now and this is not the case because you have to a) install vim-python and bicyclerepair together and b) set vim.python as the vim alternative. Thus downgrading this bug. > As I > wrote in my original report, this should not be less than "grave": > > | I set Severity to "critical" instead of "grave", because the user who > | reported the traceback to me on a multi-user system does not use > | bicyclerepair, but just vim. Reportbug forced me to set "root security > | hole", because everyone using vim is affected (including root) and > | the Justification 5 "unknown / something else" would downgrade the > | Severity to "normal". I think that this is more like a user security hole because the security issue itself doesn't automatically result in root access. root security hole fit better to issues included in a daemon running as root for example. But I doubt discussing this gets us anywhere and I personally don't care about this tag in this case :) [...] > On etch: > > $ dpkg -l bicyclerepair|grep ^i > ii bicyclerepair 0.9-4.1 A refactoring tool for python > > $ dpkg -L bicyclerepair|grep vim > /usr/share/doc/bicyclerepair/README.vim > /usr/share/vim > /usr/share/vim/vim62 > /usr/share/vim/vim62/plugin > /usr/share/vim/vim62/plugin/bike.vim > /usr/share/vim/vim63 > /usr/share/vim/vim63/plugin > /usr/share/vim/vim63/plugin/bike.vim > /usr/share/vim/addons > /usr/share/vim/addons/plugin > /usr/share/vim/addons/plugin/bike.vim > > Maybe (I haven't verified) you need: > /etc/alternatives/vim -> /usr/bin/vim.python Indeed, this is needed (+ installation of vim-python). So to sum up you need to install vim-python and set the alternative to vim.python. I am not sure about the status of this in unstable, at least I could not reproduce this on unstable but vim.python is also no longer available there, a lot in the vim structure changed since then and I don't really have an idea about the scripting support of vim. That's why I Cc'ed the vim maintainers. Do you think this should also work in the same way in unstable/testing? I am also not really sure what is causing the automatic import. To reproduce this on stable: cd /tmp && apt-get source roundup && roundup-1.2.1/roundup/ apt-get install vim-python bicyclerepair update-alternatives --set vim /usr/bin/vim.python and edit some random file (e.g. vim /tmp/foobar). I found out that the file that causes this is token.py in the roundup sources. Another way to reproduce this would be to create a file named fcntl: cat >> fcntl.py << EOF print "FOOOOBAR" EOF This file is also automatically imported besides the files bike.py, compiler.py, parser.py, symbol.py, token.py, struct.py cStringIO.py, dis.py, opcode.py, new.py, re.py, sre.py sre_compile.py, sre_constants.py, sre_parse.py, __future__.py string.py, strop.py, tempfile.py, random.py, math.py, binascii.py _random.py and fcntl.py Something should prepend '.' to syspath but I don't see anything doing this :/ Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgphbIZn1GqON.pgp
Description: PGP signature