Your message dated Sun, 15 Mar 2009 16:19:19 +0000
with message-id <e1lit3x-0004c2...@ries.debian.org>
and subject line Bug#513513: fixed in gedit 2.24.3-1
has caused the Debian Bug report #513513,
regarding CVE-2009-0314: Untrusted search path vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
513513: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513513
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gedit
Severity: important
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gedit.
CVE-2009-0314[0]:
| Untrusted search path vulnerability in the Python module in gedit
| allows local users to execute arbitrary code via a Trojan horse Python
| file in the current working directory, related to a vulnerability in
| the PySys_SetArgv function (CVE-2008-5983).
There are more information in the redhat bugreport[1] including a
patch[2].
For stable, this issue could be fixed via stable-proposed-updates. It
seems that the vulnerable function is gedit_python_module_init_python().
For lenny, it could be fixed via migration from unstable.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0314
http://security-tracker.debian.net/tracker/CVE-2009-0314
[1] https://bugzilla.redhat.com/show_bug.cgi?id=481556
[2] https://bugzilla.redhat.com/attachment.cgi?id=330031
--- End Message ---
--- Begin Message ---
Source: gedit
Source-Version: 2.24.3-1
We believe that the bug you reported is fixed in the latest version of
gedit, which is due to be installed in the Debian FTP archive:
gedit-common_2.24.3-1_all.deb
to pool/main/g/gedit/gedit-common_2.24.3-1_all.deb
gedit-dev_2.24.3-1_all.deb
to pool/main/g/gedit/gedit-dev_2.24.3-1_all.deb
gedit_2.24.3-1.diff.gz
to pool/main/g/gedit/gedit_2.24.3-1.diff.gz
gedit_2.24.3-1.dsc
to pool/main/g/gedit/gedit_2.24.3-1.dsc
gedit_2.24.3-1_amd64.deb
to pool/main/g/gedit/gedit_2.24.3-1_amd64.deb
gedit_2.24.3.orig.tar.gz
to pool/main/g/gedit/gedit_2.24.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 513...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Josselin Mouette <j...@debian.org> (supplier of updated gedit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 15 Mar 2009 12:17:40 +0100
Source: gedit
Binary: gedit gedit-common gedit-dev
Architecture: source all amd64
Version: 2.24.3-1
Distribution: unstable
Urgency: low
Maintainer: Debian GNOME Maintainers
<pkg-gnome-maintain...@lists.alioth.debian.org>
Changed-By: Josselin Mouette <j...@debian.org>
Description:
gedit - official text editor of the GNOME desktop environment
gedit-common - official text editor of the GNOME desktop environment (support
fi
gedit-dev - official text editor of the GNOME desktop environment (developmen
Closes: 510572 513513
Changes:
gedit (2.24.3-1) unstable; urgency=low
.
* 02_externaltools_locale.patch: new patch. Use LC_MESSAGES to
determine the current language for the external tools.
Closes: #510572.
* New upstream release.
* 03_python_path.patch: new patch. Pass GEDIT_PLUGINDIR
to PySys_SetArgv as a big hackish workaround to CVE-2009-0314.
Closes: #513513.
Checksums-Sha1:
2499373bbb622a363caf0b916d3f92e9111a2a6c 1665 gedit_2.24.3-1.dsc
72a4053ce77ee097ec2c27304e8a9225fbd58cbd 6167208 gedit_2.24.3.orig.tar.gz
97cab1c6aec0dd849dafddb348716c9774fb0cd1 15098 gedit_2.24.3-1.diff.gz
412903c756860dd449f47cc70f974d1018a7e1c2 4074264 gedit-common_2.24.3-1_all.deb
f192029edf6e5ba4f5d12887646f6073f86d572e 146042 gedit-dev_2.24.3-1_all.deb
9d4b3cd901c6b4c75cdd482a153d1e6b8f86d6ed 881756 gedit_2.24.3-1_amd64.deb
Checksums-Sha256:
bd19970b987e0f4dfe62bc08de1a1edb0eac17b3cbc9121fc786ef36871be727 1665
gedit_2.24.3-1.dsc
539a999e1acfb3f5c9f6ed2d5e30ad5ce0701922253bbd06acfd1646cf6ea071 6167208
gedit_2.24.3.orig.tar.gz
5cd7e4ae9a9a5942c169608ca0ea47953884cb1a625a15efbaa0989e335f8cc7 15098
gedit_2.24.3-1.diff.gz
1792da477dee57facdeb6a0b6ba9ca83ced95f47edad7980518b6e5b5f6c67e0 4074264
gedit-common_2.24.3-1_all.deb
f2448d2bc01847142915d2355ee0d16afeea338bd4d708d7d643b1dbf6517033 146042
gedit-dev_2.24.3-1_all.deb
a3281ade27b6f7779dc7391db3b95b2eb4ab3f4a5d158f79984ac23fbaac3b34 881756
gedit_2.24.3-1_amd64.deb
Files:
0b7763d19d689d762ea5d603947d6eee 1665 gnome optional gedit_2.24.3-1.dsc
c3fa901039b604a02500777ba7edfec7 6167208 gnome optional
gedit_2.24.3.orig.tar.gz
3bf01e82f7d165566c298d44e700545b 15098 gnome optional gedit_2.24.3-1.diff.gz
c681223a97136a58d45d643c825e5a0e 4074264 gnome optional
gedit-common_2.24.3-1_all.deb
b54681a0a3482202bdf76241e77c79af 146042 devel optional
gedit-dev_2.24.3-1_all.deb
ae1103ca2a2c0638aab5299a50b181d1 881756 gnome optional gedit_2.24.3-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJvPrqrSla4ddfhTMRAhBdAJ40AZDfXyJehPnpa64CKOGWS4IfeACgmURW
9qbT04y3gBZUoBwT28iw7NE=
=fqEU
-----END PGP SIGNATURE-----
--- End Message ---
