Bug#777079: jython: CVE-2013-2027

2015-11-18 Thread Markus Koschany 
On Wed, 04 Feb 2015 21:09:40 +0100 Salvatore Bonaccorso
 wrote:
> Source: jython
> Version: 2.5.2-1
> Severity: important
> Tags: security upstream
> 
> Hi
> 
> Several issues were mentioned in Red Hat Bugzilla at [0] referencing
> the issue which creates executables class files with wrong permissions
> with CVE-2013-2027.
> 
> At least it seems present in the Debian package that the package
> writes to /usr/share. In the SuSE bugzilla[1] there are some links to
> fixes applied in SuSE[2].
> 
> Could you please double-check the jython package in Debian?
> 
>  [0] https://bugzilla.redhat.com/show_bug.cgi?id=947949
>  [1] https://bugzilla.novell.com/show_bug.cgi?id=916224
>  [2] https://build.opensuse.org/request/show/284056
> 

I had a look at this vulnerability but I couldn't reproduce the attack
vector described at

https://bugzilla.redhat.com/show_bug.cgi?id=947949

The file is still read-only for everyone and group owners.

The patches at

https://build.opensuse.org/request/show/284056
https://bugzilla.redhat.com/show_bug.cgi?id=947949

cannot be applied as is because we use a newer Jython version.

According to upstream

http://bugs.jython.org/issue2044

this issue appears to be resolved in version 2.7 but they give no
details whether this is fixed in the 2.5 series.

I suggest to keep the bug open until 2.7 is packaged but I don't think
this is an issue for Debian. More feedback is welcome.

Markus



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#777079: jython: CVE-2013-2027

2015-02-04 Thread Salvatore Bonaccorso 
Source: jython
Version: 2.5.2-1
Severity: important
Tags: security upstream

Hi

Several issues were mentioned in Red Hat Bugzilla at [0] referencing
the issue which creates executables class files with wrong permissions
with CVE-2013-2027.

At least it seems present in the Debian package that the package
writes to /usr/share. In the SuSE bugzilla[1] there are some links to
fixes applied in SuSE[2].

Could you please double-check the jython package in Debian?

 [0] https://bugzilla.redhat.com/show_bug.cgi?id=947949
 [1] https://bugzilla.novell.com/show_bug.cgi?id=916224
 [2] https://build.opensuse.org/request/show/284056

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.