Bug#504359: marked as done (csound: Python scripts load modules from current directory)

Debian Bug Tracking System Wed, 19 Nov 2008 11:58:19 -0800

Your message dated Wed, 19 Nov 2008 19:47:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#504359: fixed in csound 1:5.08.2~dfsg-1.1
has caused the Debian Bug report #504359,
regarding csound: Python scripts load modules from current directory
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
504359: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504359
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: csound
Version: 1:5.08.2~dfsg-1
Severity: grave
Tags: security patch
Justification: user security hole
Usertags: pythonpath

csound's python interface calls PySys_SetArgv with an argv[0] that
doesn't resolve to a filename.  This causes Python to prepend sys.path
with an empty string which, due to the use of relative imports, allows
the possibility to run arbitrary code on the user's system if a file in
their working directory matches the name of a python module csound tries
to import.

This should be fixed by Python 2.6 as it uses absolute imports by
default, but I have not been able to test it and this still needs a fix
for packages built against/used with the currently supported versions of
Python.

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <[EMAIL PROTECTED]>

--- a/frontends/CsoundAC/Shell.cpp
+++ b/frontends/CsoundAC/Shell.cpp
@@ -211,6 +211,8 @@ namespace csound
   void Shell::main(int argc, char **argv)
   {
     PySys_SetArgv_(argc, argv);
+    /* Sanitize sys.path */
+    PyRun_SimpleString_("import sys; sys.path = filter(None, sys.path)");
   }
 
   void Shell::initialize()
--- a/frontends/CsoundVST/ScoreGeneratorVst.cpp
+++ b/frontends/CsoundVST/ScoreGeneratorVst.cpp
@@ -427,6 +427,8 @@
   Shell::open();
   char *argv[] = {"",""};
   PySys_SetArgv(1, argv);
+  /* Sanitize sys.path */
+  PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
   PyObject *mainModule = PyImport_ImportModule("__main__");
   result = runScript("import sys\n");
   if(result)

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: csound
Source-Version: 1:5.08.2~dfsg-1.1

We believe that the bug you reported is fixed in the latest version of
csound, which is due to be installed in the Debian FTP archive:

csladspa_5.08.2~dfsg-1.1_amd64.deb
  to pool/main/c/csound/csladspa_5.08.2~dfsg-1.1_amd64.deb
csound-gui_5.08.2~dfsg-1.1_amd64.deb
  to pool/main/c/csound/csound-gui_5.08.2~dfsg-1.1_amd64.deb
csound-utils_5.08.2~dfsg-1.1_amd64.deb
  to pool/main/c/csound/csound-utils_5.08.2~dfsg-1.1_amd64.deb
csound_5.08.2~dfsg-1.1.diff.gz
  to pool/main/c/csound/csound_5.08.2~dfsg-1.1.diff.gz
csound_5.08.2~dfsg-1.1.dsc
  to pool/main/c/csound/csound_5.08.2~dfsg-1.1.dsc
csound_5.08.2~dfsg-1.1_amd64.deb
  to pool/main/c/csound/csound_5.08.2~dfsg-1.1_amd64.deb
libcsnd-java_5.08.2~dfsg-1.1_amd64.deb
  to pool/main/c/csound/libcsnd-java_5.08.2~dfsg-1.1_amd64.deb
libcsnd5.1_5.08.2~dfsg-1.1_amd64.deb
  to pool/main/c/csound/libcsnd5.1_5.08.2~dfsg-1.1_amd64.deb
libcsound64-5.1_5.08.2~dfsg-1.1_amd64.deb
  to pool/main/c/csound/libcsound64-5.1_5.08.2~dfsg-1.1_amd64.deb
libcsound64-dev_5.08.2~dfsg-1.1_all.deb
  to pool/main/c/csound/libcsound64-dev_5.08.2~dfsg-1.1_all.deb
libcsound64-doc_5.08.2~dfsg-1.1_all.deb
  to pool/main/c/csound/libcsound64-doc_5.08.2~dfsg-1.1_all.deb
libcsoundac5.1_5.08.2~dfsg-1.1_amd64.deb
  to pool/main/c/csound/libcsoundac5.1_5.08.2~dfsg-1.1_amd64.deb
pd-csound_5.08.2~dfsg-1.1_amd64.deb
  to pool/main/c/csound/pd-csound_5.08.2~dfsg-1.1_amd64.deb
python-csound_5.08.2~dfsg-1.1_amd64.deb
  to pool/main/c/csound/python-csound_5.08.2~dfsg-1.1_amd64.deb
python-csoundac_5.08.2~dfsg-1.1_amd64.deb
  to pool/main/c/csound/python-csoundac_5.08.2~dfsg-1.1_amd64.deb
tclcsound_5.08.2~dfsg-1.1_amd64.deb
  to pool/main/c/csound/tclcsound_5.08.2~dfsg-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated csound package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 19 Nov 2008 20:20:13 +0100
Source: csound
Binary: csound csound-gui csound-utils libcsound64-5.1 libcsnd-java 
libcsound64-dev pd-csound python-csound libcsnd5.1 tclcsound libcsoundac5.1 
python-csoundac csladspa libcsound64-doc
Architecture: source all amd64
Version: 1:5.08.2~dfsg-1.1
Distribution: unstable
Urgency: high
Maintainer: Felipe Sateler <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description: 
 csladspa   - LADSPA plugin for Csound
 csound     - powerful and versatile sound synthesis software
 csound-gui - GUI interfaces and opcodes for Csound
 csound-utils - miscellaneous utilities for the Csound system
 libcsnd-java - Java bindings for the Csound API
 libcsnd5.1 - C++ bindings for the Csound API
 libcsound64-5.1 - main library for Csound
 libcsound64-dev - development files for Csound
 libcsound64-doc - Csound API documentation
 libcsoundac5.1 - the Csound Algorithmic Composition library
 pd-csound  - Csound external for PureData
 python-csound - Python bindings for Csound
 python-csoundac - Python bindings for CsoundAC
 tclcsound  - Tcl bindings and interpreters for Csound
Closes: 504359
Changes: 
 csound (1:5.08.2~dfsg-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix insecure python search path by adding patch provided by
     James Vega (No CVE id yet; Closes: #504359).
Checksums-Sha1: 
 0bca9d44fecc3a84f5935364227001f7bd000a30 2227 csound_5.08.2~dfsg-1.1.dsc
 3cd15d6ea58902bd428d979898fac6ee2dd825f9 34150 csound_5.08.2~dfsg-1.1.diff.gz
 31875648e0dde99c78a6a41278c4a7d65a208ad5 162630 
libcsound64-dev_5.08.2~dfsg-1.1_all.deb
 b015cd7abfdbba4aa99807e633ae7a5faa4c6d24 15102552 
libcsound64-doc_5.08.2~dfsg-1.1_all.deb
 c164aa1984e9bc84cae0175988b69ce120d78ee1 255624 
csound_5.08.2~dfsg-1.1_amd64.deb
 31697d41774e0d2ab1fb1e883ef00d82f0452df2 404618 
csound-gui_5.08.2~dfsg-1.1_amd64.deb
 faba98136c46f9e19f1e90b070eb45d29a584304 159976 
csound-utils_5.08.2~dfsg-1.1_amd64.deb
 a246b8990edc93556a86018ef7ecd80665473ac1 1093946 
libcsound64-5.1_5.08.2~dfsg-1.1_amd64.deb
 117140236ea5b68565452c02b9bf43306dbf4ebd 316012 
libcsnd-java_5.08.2~dfsg-1.1_amd64.deb
 f9ba5f9b3b52c2473fd86a6ef9ed468aad8209f8 127370 
pd-csound_5.08.2~dfsg-1.1_amd64.deb
 799f25bf56a232cd2b738170254ca5fb2124d97b 401586 
python-csound_5.08.2~dfsg-1.1_amd64.deb
 3f80c20c5d37399f5777ccd3ee87c3c0240d3e78 362986 
libcsnd5.1_5.08.2~dfsg-1.1_amd64.deb
 9716d765e984048b6bad91636514ac9883cd1fb6 149408 
tclcsound_5.08.2~dfsg-1.1_amd64.deb
 ec995e2b168c008193fd23355d45c9a455577f98 403250 
libcsoundac5.1_5.08.2~dfsg-1.1_amd64.deb
 fd8834ccb515467b61beb06eb6c3a92f01683e70 542324 
python-csoundac_5.08.2~dfsg-1.1_amd64.deb
 9621371dba514b0f771af4e89a6cc193d582d861 139834 
csladspa_5.08.2~dfsg-1.1_amd64.deb
Checksums-Sha256: 
 8fe7b66c5439b55b113e1c8ab93c117be197789cde45bd1164765f8762fd3fc0 2227 
csound_5.08.2~dfsg-1.1.dsc
 95ff2c63ac2840d96524f83843c3d9aa781a612ed3926a86a608371a3a38adc5 34150 
csound_5.08.2~dfsg-1.1.diff.gz
 aea172c639b5f11e22c4cf66ed282ae49831c7161d9e6eb5ca2e59acb5c4a3e4 162630 
libcsound64-dev_5.08.2~dfsg-1.1_all.deb
 25b3b0222f6f3839f567a892b0d6ab731e0805537657d2e3e94789e1e6909998 15102552 
libcsound64-doc_5.08.2~dfsg-1.1_all.deb
 705b511dc9f24a2233d786243036eb256497817ebac90274887ee3552cff798d 255624 
csound_5.08.2~dfsg-1.1_amd64.deb
 4b2d96b0bcdda82a7e58b92dfb8a5143a76432e4cc6689174a9036646ab7845a 404618 
csound-gui_5.08.2~dfsg-1.1_amd64.deb
 0c73ff718f7a729ef51ce541ba8cf98ebfcffe63d0bad14b6ff920317dfa4784 159976 
csound-utils_5.08.2~dfsg-1.1_amd64.deb
 691cd63306fd0d410bf3acd542ebe049081d01ef399f92d7596b3e5aa57b6bb0 1093946 
libcsound64-5.1_5.08.2~dfsg-1.1_amd64.deb
 b816a2ddeb2c70a1418d8f16120b8372644794eb8ad3dda76d1093c9ec9d8775 316012 
libcsnd-java_5.08.2~dfsg-1.1_amd64.deb
 f094ccbb80acc709a91c7f924ed9c635327d0e813e39f93f5f73b9827d68d388 127370 
pd-csound_5.08.2~dfsg-1.1_amd64.deb
 95e0d9e08d1562a6ee0ef349a70b7130b13a03a3d5448a7caa7310bac47ceec4 401586 
python-csound_5.08.2~dfsg-1.1_amd64.deb
 69a7f93e35062ca6702dfb6213092c21d88df405bb339d037b05714894da1efd 362986 
libcsnd5.1_5.08.2~dfsg-1.1_amd64.deb
 201e245b8a23d79c73c3ebf5a311a5a4c683e19d49d95f684791f87f81f89280 149408 
tclcsound_5.08.2~dfsg-1.1_amd64.deb
 5027f11674a569386f60970c79a4a3a8b8520b165f6e0b3f6f23d51e8d39794d 403250 
libcsoundac5.1_5.08.2~dfsg-1.1_amd64.deb
 1c6a2ea9bf933aebc407812a53f816cce004d293925537bf173ee911751d481d 542324 
python-csoundac_5.08.2~dfsg-1.1_amd64.deb
 0efbf4b852d587d25b4710ef2a83fdfe84d9a6b10d017400ba394a0498c568b3 139834 
csladspa_5.08.2~dfsg-1.1_amd64.deb
Files: 
 57342e9a7fc01d29fe320bebed30408c 2227 sound optional csound_5.08.2~dfsg-1.1.dsc
 08f823126ad1ab0e9147b73b47dd81f9 34150 sound optional 
csound_5.08.2~dfsg-1.1.diff.gz
 fe16e1f1727b29e74625f21670dd8bb6 162630 libdevel extra 
libcsound64-dev_5.08.2~dfsg-1.1_all.deb
 2cbcf1b8fb6ce8ee5210c5ed3b55edee 15102552 doc extra 
libcsound64-doc_5.08.2~dfsg-1.1_all.deb
 ec9a007227e0cf67331ae5336a862f89 255624 sound optional 
csound_5.08.2~dfsg-1.1_amd64.deb
 1f19e91b463bc7f2abfb61bbda6778e3 404618 sound optional 
csound-gui_5.08.2~dfsg-1.1_amd64.deb
 02f6e4692cf53b9b4b25f949e7e228e0 159976 sound optional 
csound-utils_5.08.2~dfsg-1.1_amd64.deb
 26497fe702e4a3b8dfdd7d83d7f5794d 1093946 libs optional 
libcsound64-5.1_5.08.2~dfsg-1.1_amd64.deb
 cc43f6ced2d61523bccf0aa2218183f3 316012 sound optional 
libcsnd-java_5.08.2~dfsg-1.1_amd64.deb
 6743446c2c552d40b527f9293c43f519 127370 sound optional 
pd-csound_5.08.2~dfsg-1.1_amd64.deb
 2b6eac8339db3636c2fe35f82a3d516a 401586 python optional 
python-csound_5.08.2~dfsg-1.1_amd64.deb
 537def8a2833af2e0a8fde43ba8c2447 362986 sound optional 
libcsnd5.1_5.08.2~dfsg-1.1_amd64.deb
 705092470bb7fc0641f604773a5c3977 149408 sound optional 
tclcsound_5.08.2~dfsg-1.1_amd64.deb
 f41fc52a1a2196b5e0359c2ef78c7afa 403250 sound optional 
libcsoundac5.1_5.08.2~dfsg-1.1_amd64.deb
 e91f96693081f5b6c295814e016653f0 542324 python optional 
python-csoundac_5.08.2~dfsg-1.1_amd64.deb
 dec10d1899426c90a634c4837c6f4dea 139834 sound optional 
csladspa_5.08.2~dfsg-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkkapAACgkQHYflSXNkfP+CJgCfcGDLMFzTjLXfw1YcTTaN5fw+
YhIAnRJt/pQtV1DoEgwbckmkE5biSMJo
=QnMt
-----END PGP SIGNATURE-----

--- End Message ---

Bug#504359: marked as done (csound: Python scripts load modules from current directory)

Reply via email to