Your message dated Wed, 19 Nov 2008 19:47:05 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#504359: fixed in csound 1:5.08.2~dfsg-1.1 has caused the Debian Bug report #504359, regarding csound: Python scripts load modules from current directory to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 504359: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504359 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: csound Version: 1:5.08.2~dfsg-1 Severity: grave Tags: security patch Justification: user security hole Usertags: pythonpath csound's python interface calls PySys_SetArgv with an argv[0] that doesn't resolve to a filename. This causes Python to prepend sys.path with an empty string which, due to the use of relative imports, allows the possibility to run arbitrary code on the user's system if a file in their working directory matches the name of a python module csound tries to import. This should be fixed by Python 2.6 as it uses absolute imports by default, but I have not been able to test it and this still needs a fix for packages built against/used with the currently supported versions of Python. -- James GPG Key: 1024D/61326D40 2003-09-02 James Vega <[EMAIL PROTECTED]>--- a/frontends/CsoundAC/Shell.cpp +++ b/frontends/CsoundAC/Shell.cpp @@ -211,6 +211,8 @@ namespace csound void Shell::main(int argc, char **argv) { PySys_SetArgv_(argc, argv); + /* Sanitize sys.path */ + PyRun_SimpleString_("import sys; sys.path = filter(None, sys.path)"); } void Shell::initialize() --- a/frontends/CsoundVST/ScoreGeneratorVst.cpp +++ b/frontends/CsoundVST/ScoreGeneratorVst.cpp @@ -427,6 +427,8 @@ Shell::open(); char *argv[] = {"",""}; PySys_SetArgv(1, argv); + /* Sanitize sys.path */ + PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)"); PyObject *mainModule = PyImport_ImportModule("__main__"); result = runScript("import sys\n"); if(result)signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: csound Source-Version: 1:5.08.2~dfsg-1.1 We believe that the bug you reported is fixed in the latest version of csound, which is due to be installed in the Debian FTP archive: csladspa_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/csladspa_5.08.2~dfsg-1.1_amd64.deb csound-gui_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/csound-gui_5.08.2~dfsg-1.1_amd64.deb csound-utils_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/csound-utils_5.08.2~dfsg-1.1_amd64.deb csound_5.08.2~dfsg-1.1.diff.gz to pool/main/c/csound/csound_5.08.2~dfsg-1.1.diff.gz csound_5.08.2~dfsg-1.1.dsc to pool/main/c/csound/csound_5.08.2~dfsg-1.1.dsc csound_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/csound_5.08.2~dfsg-1.1_amd64.deb libcsnd-java_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/libcsnd-java_5.08.2~dfsg-1.1_amd64.deb libcsnd5.1_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/libcsnd5.1_5.08.2~dfsg-1.1_amd64.deb libcsound64-5.1_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/libcsound64-5.1_5.08.2~dfsg-1.1_amd64.deb libcsound64-dev_5.08.2~dfsg-1.1_all.deb to pool/main/c/csound/libcsound64-dev_5.08.2~dfsg-1.1_all.deb libcsound64-doc_5.08.2~dfsg-1.1_all.deb to pool/main/c/csound/libcsound64-doc_5.08.2~dfsg-1.1_all.deb libcsoundac5.1_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/libcsoundac5.1_5.08.2~dfsg-1.1_amd64.deb pd-csound_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/pd-csound_5.08.2~dfsg-1.1_amd64.deb python-csound_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/python-csound_5.08.2~dfsg-1.1_amd64.deb python-csoundac_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/python-csoundac_5.08.2~dfsg-1.1_amd64.deb tclcsound_5.08.2~dfsg-1.1_amd64.deb to pool/main/c/csound/tclcsound_5.08.2~dfsg-1.1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nico Golde <[EMAIL PROTECTED]> (supplier of updated csound package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 19 Nov 2008 20:20:13 +0100 Source: csound Binary: csound csound-gui csound-utils libcsound64-5.1 libcsnd-java libcsound64-dev pd-csound python-csound libcsnd5.1 tclcsound libcsoundac5.1 python-csoundac csladspa libcsound64-doc Architecture: source all amd64 Version: 1:5.08.2~dfsg-1.1 Distribution: unstable Urgency: high Maintainer: Felipe Sateler <[EMAIL PROTECTED]> Changed-By: Nico Golde <[EMAIL PROTECTED]> Description: csladspa - LADSPA plugin for Csound csound - powerful and versatile sound synthesis software csound-gui - GUI interfaces and opcodes for Csound csound-utils - miscellaneous utilities for the Csound system libcsnd-java - Java bindings for the Csound API libcsnd5.1 - C++ bindings for the Csound API libcsound64-5.1 - main library for Csound libcsound64-dev - development files for Csound libcsound64-doc - Csound API documentation libcsoundac5.1 - the Csound Algorithmic Composition library pd-csound - Csound external for PureData python-csound - Python bindings for Csound python-csoundac - Python bindings for CsoundAC tclcsound - Tcl bindings and interpreters for Csound Closes: 504359 Changes: csound (1:5.08.2~dfsg-1.1) unstable; urgency=high . * Non-maintainer upload by the Security Team. * Fix insecure python search path by adding patch provided by James Vega (No CVE id yet; Closes: #504359). Checksums-Sha1: 0bca9d44fecc3a84f5935364227001f7bd000a30 2227 csound_5.08.2~dfsg-1.1.dsc 3cd15d6ea58902bd428d979898fac6ee2dd825f9 34150 csound_5.08.2~dfsg-1.1.diff.gz 31875648e0dde99c78a6a41278c4a7d65a208ad5 162630 libcsound64-dev_5.08.2~dfsg-1.1_all.deb b015cd7abfdbba4aa99807e633ae7a5faa4c6d24 15102552 libcsound64-doc_5.08.2~dfsg-1.1_all.deb c164aa1984e9bc84cae0175988b69ce120d78ee1 255624 csound_5.08.2~dfsg-1.1_amd64.deb 31697d41774e0d2ab1fb1e883ef00d82f0452df2 404618 csound-gui_5.08.2~dfsg-1.1_amd64.deb faba98136c46f9e19f1e90b070eb45d29a584304 159976 csound-utils_5.08.2~dfsg-1.1_amd64.deb a246b8990edc93556a86018ef7ecd80665473ac1 1093946 libcsound64-5.1_5.08.2~dfsg-1.1_amd64.deb 117140236ea5b68565452c02b9bf43306dbf4ebd 316012 libcsnd-java_5.08.2~dfsg-1.1_amd64.deb f9ba5f9b3b52c2473fd86a6ef9ed468aad8209f8 127370 pd-csound_5.08.2~dfsg-1.1_amd64.deb 799f25bf56a232cd2b738170254ca5fb2124d97b 401586 python-csound_5.08.2~dfsg-1.1_amd64.deb 3f80c20c5d37399f5777ccd3ee87c3c0240d3e78 362986 libcsnd5.1_5.08.2~dfsg-1.1_amd64.deb 9716d765e984048b6bad91636514ac9883cd1fb6 149408 tclcsound_5.08.2~dfsg-1.1_amd64.deb ec995e2b168c008193fd23355d45c9a455577f98 403250 libcsoundac5.1_5.08.2~dfsg-1.1_amd64.deb fd8834ccb515467b61beb06eb6c3a92f01683e70 542324 python-csoundac_5.08.2~dfsg-1.1_amd64.deb 9621371dba514b0f771af4e89a6cc193d582d861 139834 csladspa_5.08.2~dfsg-1.1_amd64.deb Checksums-Sha256: 8fe7b66c5439b55b113e1c8ab93c117be197789cde45bd1164765f8762fd3fc0 2227 csound_5.08.2~dfsg-1.1.dsc 95ff2c63ac2840d96524f83843c3d9aa781a612ed3926a86a608371a3a38adc5 34150 csound_5.08.2~dfsg-1.1.diff.gz aea172c639b5f11e22c4cf66ed282ae49831c7161d9e6eb5ca2e59acb5c4a3e4 162630 libcsound64-dev_5.08.2~dfsg-1.1_all.deb 25b3b0222f6f3839f567a892b0d6ab731e0805537657d2e3e94789e1e6909998 15102552 libcsound64-doc_5.08.2~dfsg-1.1_all.deb 705b511dc9f24a2233d786243036eb256497817ebac90274887ee3552cff798d 255624 csound_5.08.2~dfsg-1.1_amd64.deb 4b2d96b0bcdda82a7e58b92dfb8a5143a76432e4cc6689174a9036646ab7845a 404618 csound-gui_5.08.2~dfsg-1.1_amd64.deb 0c73ff718f7a729ef51ce541ba8cf98ebfcffe63d0bad14b6ff920317dfa4784 159976 csound-utils_5.08.2~dfsg-1.1_amd64.deb 691cd63306fd0d410bf3acd542ebe049081d01ef399f92d7596b3e5aa57b6bb0 1093946 libcsound64-5.1_5.08.2~dfsg-1.1_amd64.deb b816a2ddeb2c70a1418d8f16120b8372644794eb8ad3dda76d1093c9ec9d8775 316012 libcsnd-java_5.08.2~dfsg-1.1_amd64.deb f094ccbb80acc709a91c7f924ed9c635327d0e813e39f93f5f73b9827d68d388 127370 pd-csound_5.08.2~dfsg-1.1_amd64.deb 95e0d9e08d1562a6ee0ef349a70b7130b13a03a3d5448a7caa7310bac47ceec4 401586 python-csound_5.08.2~dfsg-1.1_amd64.deb 69a7f93e35062ca6702dfb6213092c21d88df405bb339d037b05714894da1efd 362986 libcsnd5.1_5.08.2~dfsg-1.1_amd64.deb 201e245b8a23d79c73c3ebf5a311a5a4c683e19d49d95f684791f87f81f89280 149408 tclcsound_5.08.2~dfsg-1.1_amd64.deb 5027f11674a569386f60970c79a4a3a8b8520b165f6e0b3f6f23d51e8d39794d 403250 libcsoundac5.1_5.08.2~dfsg-1.1_amd64.deb 1c6a2ea9bf933aebc407812a53f816cce004d293925537bf173ee911751d481d 542324 python-csoundac_5.08.2~dfsg-1.1_amd64.deb 0efbf4b852d587d25b4710ef2a83fdfe84d9a6b10d017400ba394a0498c568b3 139834 csladspa_5.08.2~dfsg-1.1_amd64.deb Files: 57342e9a7fc01d29fe320bebed30408c 2227 sound optional csound_5.08.2~dfsg-1.1.dsc 08f823126ad1ab0e9147b73b47dd81f9 34150 sound optional csound_5.08.2~dfsg-1.1.diff.gz fe16e1f1727b29e74625f21670dd8bb6 162630 libdevel extra libcsound64-dev_5.08.2~dfsg-1.1_all.deb 2cbcf1b8fb6ce8ee5210c5ed3b55edee 15102552 doc extra libcsound64-doc_5.08.2~dfsg-1.1_all.deb ec9a007227e0cf67331ae5336a862f89 255624 sound optional csound_5.08.2~dfsg-1.1_amd64.deb 1f19e91b463bc7f2abfb61bbda6778e3 404618 sound optional csound-gui_5.08.2~dfsg-1.1_amd64.deb 02f6e4692cf53b9b4b25f949e7e228e0 159976 sound optional csound-utils_5.08.2~dfsg-1.1_amd64.deb 26497fe702e4a3b8dfdd7d83d7f5794d 1093946 libs optional libcsound64-5.1_5.08.2~dfsg-1.1_amd64.deb cc43f6ced2d61523bccf0aa2218183f3 316012 sound optional libcsnd-java_5.08.2~dfsg-1.1_amd64.deb 6743446c2c552d40b527f9293c43f519 127370 sound optional pd-csound_5.08.2~dfsg-1.1_amd64.deb 2b6eac8339db3636c2fe35f82a3d516a 401586 python optional python-csound_5.08.2~dfsg-1.1_amd64.deb 537def8a2833af2e0a8fde43ba8c2447 362986 sound optional libcsnd5.1_5.08.2~dfsg-1.1_amd64.deb 705092470bb7fc0641f604773a5c3977 149408 sound optional tclcsound_5.08.2~dfsg-1.1_amd64.deb f41fc52a1a2196b5e0359c2ef78c7afa 403250 sound optional libcsoundac5.1_5.08.2~dfsg-1.1_amd64.deb e91f96693081f5b6c295814e016653f0 542324 python optional python-csoundac_5.08.2~dfsg-1.1_amd64.deb dec10d1899426c90a634c4837c6f4dea 139834 sound optional csladspa_5.08.2~dfsg-1.1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkkkapAACgkQHYflSXNkfP+CJgCfcGDLMFzTjLXfw1YcTTaN5fw+ YhIAnRJt/pQtV1DoEgwbckmkE5biSMJo =QnMt -----END PGP SIGNATURE-----
--- End Message ---