Bug#504359: intent to NMU

[Nico Golde]

Hi,
I am uploading a 0-day NMU to fix this bug.

debdiff attached and archived on:
http://people.debian.org/~nion/nmu-diff/csound-5.08.2~dfsg-1_5.08.2~dfsg-1.1.patch

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u csound-5.08.2~dfsg/debian/changelog csound-5.08.2~dfsg/debian/changelog
--- csound-5.08.2~dfsg/debian/changelog
+++ csound-5.08.2~dfsg/debian/changelog
@@ -1,3 +1,11 @@
+csound (1:5.08.2~dfsg-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix insecure python search path by adding patch provided by
+    James Vega (No CVE id yet; Closes: #504359).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Wed, 19 Nov 2008 20:20:13 +0100
+
 csound (1:5.08.2~dfsg-1) unstable; urgency=low
 
   [ Jonas Smedegaard ]
diff -u csound-5.08.2~dfsg/debian/patches/series csound-5.08.2~dfsg/debian/patches/series
--- csound-5.08.2~dfsg/debian/patches/series
+++ csound-5.08.2~dfsg/debian/patches/series
@@ -3,6 +3,7 @@
 1001-fix-csoundac-amd64.diff
 1002-type-punning.diff
 1003-abi-plugin-dir.diff
+1004-sanitize-sys.path.diff
 2000-avoid-nonfree-scansyn-plugin.diff
 2001-lua-link.diff
 2002-csoundac.diff
only in patch2:
unchanged:
--- csound-5.08.2~dfsg.orig/debian/patches/1004-sanitize-sys.path.diff
+++ csound-5.08.2~dfsg/debian/patches/1004-sanitize-sys.path.diff
@@ -0,0 +1,22 @@
+--- a/frontends/CsoundAC/Shell.cpp
++++ b/frontends/CsoundAC/Shell.cpp
+@@ -211,6 +211,8 @@ namespace csound
+   void Shell::main(int argc, char **argv)
+   {
+     PySys_SetArgv_(argc, argv);
++    /* Sanitize sys.path */
++    PyRun_SimpleString_("import sys; sys.path = filter(None, sys.path)");
+   }
+ 
+   void Shell::initialize()
+--- a/frontends/CsoundVST/ScoreGeneratorVst.cpp
++++ b/frontends/CsoundVST/ScoreGeneratorVst.cpp
+@@ -427,6 +427,8 @@
+   Shell::open();
+   char *argv[] = {"",""};
+   PySys_SetArgv(1, argv);
++  /* Sanitize sys.path */
++  PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
+   PyObject *mainModule = PyImport_ImportModule("__main__");
+   result = runScript("import sys\n");
+   if(result)

pgp0ecTSaP2u7.pgp
Description: PGP signature