Your message dated Mon, 10 Nov 2008 15:02:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#504363: fixed in epiphany-browser 2.22.3-7
has caused the Debian Bug report #504363,
regarding epiphany-browser: Python plugins load modules from current directory
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
504363: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504363
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: ephiphany-browser
Version: 2.22.3-6
Severity: grave
Tags: security patch upstream
Justification: user security hole
Usertags: pythonpath
Epiphany's python interface calls PySys_SetArgv with an argv[0] that
doesn't resolve to a filename. This causes Python to prepend sys.path
with an empty string which, due to the use of relative imports, allows
the possibility to run arbitrary code on the user's system if a file in
their working directory matches the name of a python module epiphany
tries to import.
This should be fixed by Python 2.6 as it uses absolute imports by
default, but I have not been able to test it and this still needs a fix
for packages built against/used with the currently supported versions of
Python.
--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <[EMAIL PROTECTED]>
--- epiphany-browser-2.22.3.orig/src/ephy-python.c
+++ epiphany-browser-2.22.3/src/ephy-python.c
@@ -51,6 +51,8 @@
argv[0] = g_get_prgname ();
PySys_SetArgv (1, argv);
+ /* Sanitize sys.path */
+ PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
init_pygobject ();
init_pygtk ();
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: epiphany-browser
Source-Version: 2.22.3-7
We believe that the bug you reported is fixed in the latest version of
epiphany-browser, which is due to be installed in the Debian FTP archive:
epiphany-browser-data_2.22.3-7_all.deb
to pool/main/e/epiphany-browser/epiphany-browser-data_2.22.3-7_all.deb
epiphany-browser-dbg_2.22.3-7_amd64.deb
to pool/main/e/epiphany-browser/epiphany-browser-dbg_2.22.3-7_amd64.deb
epiphany-browser-dev_2.22.3-7_all.deb
to pool/main/e/epiphany-browser/epiphany-browser-dev_2.22.3-7_all.deb
epiphany-browser_2.22.3-7.diff.gz
to pool/main/e/epiphany-browser/epiphany-browser_2.22.3-7.diff.gz
epiphany-browser_2.22.3-7.dsc
to pool/main/e/epiphany-browser/epiphany-browser_2.22.3-7.dsc
epiphany-browser_2.22.3-7_all.deb
to pool/main/e/epiphany-browser/epiphany-browser_2.22.3-7_all.deb
epiphany-gecko_2.22.3-7_amd64.deb
to pool/main/e/epiphany-browser/epiphany-gecko_2.22.3-7_amd64.deb
epiphany-webkit_2.22.3-7_amd64.deb
to pool/main/e/epiphany-browser/epiphany-webkit_2.22.3-7_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Josselin Mouette <[EMAIL PROTECTED]> (supplier of updated epiphany-browser
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 10 Nov 2008 15:29:28 +0100
Source: epiphany-browser
Binary: epiphany-browser epiphany-gecko epiphany-webkit epiphany-browser-data
epiphany-browser-dev epiphany-browser-dbg
Architecture: source amd64 all
Version: 2.22.3-7
Distribution: unstable
Urgency: low
Maintainer: Josselin Mouette <[EMAIL PROTECTED]>
Changed-By: Josselin Mouette <[EMAIL PROTECTED]>
Description:
epiphany-browser - Intuitive web browser - dummy package
epiphany-browser-data - Data files for the GNOME web browser
epiphany-browser-dbg - Debugging symbols for the GNOME web browser
epiphany-browser-dev - Development files for the GNOME web browser
epiphany-gecko - Intuitive GNOME web browser - Gecko version
epiphany-webkit - Intuitive GNOME web browser - webkit version
Closes: 504363
Changes:
epiphany-browser (2.22.3-7) unstable; urgency=low
.
[ Josselin Mouette ]
* certManager.js: fix JS variable declaration.
.
[ Emilio Pozuelo Monfort ]
* debian/control.in: move Homepage field to the source stanza.
.
[ Josselin Mouette ]
* 08_python_path.patch: new patch by James Vega. Disable relative
imports in the python code. Closes: #504363.
Checksums-Sha1:
5a23434c1ec45ffe4701eaef8c72476ba1d68f85 2044 epiphany-browser_2.22.3-7.dsc
23f6784fe385ec34c45259d3a31deeabc04153de 48629
epiphany-browser_2.22.3-7.diff.gz
fd91850d2a868dcaaa03174beb62f9331a46b6cb 551380
epiphany-gecko_2.22.3-7_amd64.deb
c047b00921f93508601e72532f995d547c21b5b8 382458
epiphany-webkit_2.22.3-7_amd64.deb
7e76a50e8fa0647f9d4b9bf36946c1c886c907ff 3046990
epiphany-browser-dbg_2.22.3-7_amd64.deb
bc8f807b166758f84e4e38a6b9713d15a1441b3a 18198
epiphany-browser_2.22.3-7_all.deb
bbb0c7ae51dd768351a68329486eef4c5e47eeed 6282908
epiphany-browser-data_2.22.3-7_all.deb
470e8302dcdfdbd12a7c23433c15482753248c3c 84976
epiphany-browser-dev_2.22.3-7_all.deb
Checksums-Sha256:
bb99477e1b1cce34331f507b514f01cd36848fed217911a37b32d74ba1cef4ea 2044
epiphany-browser_2.22.3-7.dsc
d0801817cccdbb51e7da2076f0c2df0182b20f0abf95e73f398cdf08e165dad8 48629
epiphany-browser_2.22.3-7.diff.gz
ff7201b1b5ec217b9ca89b0fa9a6ae52ad64dad3efe857497577b41b64c784b0 551380
epiphany-gecko_2.22.3-7_amd64.deb
518ca94579df05003d242dde87206b535c9ba7923fd77e9f7507ad62e826bb7d 382458
epiphany-webkit_2.22.3-7_amd64.deb
abced8b0f0cf6fd8a1f05162bc0d2e4af27254648aa674b33e2fd59cc60a23b7 3046990
epiphany-browser-dbg_2.22.3-7_amd64.deb
bab31d315fcde5efbb1e125438b6abfddf7dd1ffee4d3842cb0354b49d3ba327 18198
epiphany-browser_2.22.3-7_all.deb
dbc863b2a0709134c936197c59103ce28aa5f5456845026f4e89b619c2a25d01 6282908
epiphany-browser-data_2.22.3-7_all.deb
043d7026d25caadc04b09cd8cbb6181d069b515d812aeba7fd943682079a630d 84976
epiphany-browser-dev_2.22.3-7_all.deb
Files:
bf8c584aa8d523d4ab2b05ce2518ae6d 2044 gnome optional
epiphany-browser_2.22.3-7.dsc
f2bfdc88260086855ba01046c1af8008 48629 gnome optional
epiphany-browser_2.22.3-7.diff.gz
b2e47caaea883f9db5acc1aab7345ed4 551380 gnome optional
epiphany-gecko_2.22.3-7_amd64.deb
948370f79534121b6d35d8589da5cb46 382458 gnome optional
epiphany-webkit_2.22.3-7_amd64.deb
912d5154f22528470addab1e217c427b 3046990 gnome extra
epiphany-browser-dbg_2.22.3-7_amd64.deb
b45807cf0a0dd4a7d6d8ed78ee1f5739 18198 gnome optional
epiphany-browser_2.22.3-7_all.deb
b1423735359471300fe38cd0e0daf9f7 6282908 gnome optional
epiphany-browser-data_2.22.3-7_all.deb
f088b1758089a43aa168476f4b94056e 84976 devel optional
epiphany-browser-dev_2.22.3-7_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJGEmqrSla4ddfhTMRAhPaAJ4xDmw5bDfolwj1UqubU4I3JXnhegCfTW8k
T+kQZZr+fx/ZKbj28Pdu4Qg=
=0OuI
-----END PGP SIGNATURE-----
--- End Message ---
