Hi!
Micah Lee:
> The upstream nautilus issue [1] has already been resolved, and will be
> released in nautilus 3.24. But since this is an important security
> issue, I think this patch should be backported so that it's fixed in
> older versions of Debian.
Thanks for raising this issue in Debian!
On Fri, 2017-09-01 at 21:53 +0200, intrigeri wrote:
> Hi!
>
> Micah Lee:
> > The upstream nautilus issue [1] has already been resolved, and will be
> > released in nautilus 3.24. But since this is an important security
> > issue, I think this patch should be backported so that it's fixed in
> > ol
I asked on IRC about this so feel free to send the email, Phil or Donncha:
jbicha | carnil: are you going to sponsor #860268 as a security update?
jmm_ | jbicha: yeah, we can fix that via security.debian.org, please
send a mail to t...@security.debian.org, only a few of us are on IRC
Thanks,
Jer
On Fri, 2017-09-22 at 17:19 -0400, Jeremy Bicha wrote:
> I asked on IRC about this so feel free to send the email, Phil or Donncha:
>
> jbicha | carnil: are you going to sponsor #860268 as a security update?
> jmm_ | jbicha: yeah, we can fix that via security.debian.org, please
> send a mail to t.
On Sat, 2017-09-23 at 01:36 +0100, Phil Wyett wrote:
> On Fri, 2017-09-22 at 17:19 -0400, Jeremy Bicha wrote:
> > I asked on IRC about this so feel free to send the email, Phil or Donncha:
> >
> > jbicha | carnil: are you going to sponsor #860268 as a security update?
> > jmm_ | jbicha: yeah, we c
On Sat, 2017-09-23 at 01:37 +0100, Phil Wyett wrote:
> On Sat, 2017-09-23 at 01:36 +0100, Phil Wyett wrote:
> > On Fri, 2017-09-22 at 17:19 -0400, Jeremy Bicha wrote:
> > > I asked on IRC about this so feel free to send the email, Phil or Donncha:
> > >
> > > jbicha | carnil: are you going to spon
Hi,
Thank you Phil for providing a backport patch. What is the next step
needed to get this fix released as a backport? The .desktop security
issue is widely know and can be exploited in the wild [1]. IMO this
fixed should be made available as soon as possible.
Regards,
Donncha
[1] https://githu
Control: tag -1 + security
Donncha O'Cearbhaill:
> Thank you Phil for providing a backport patch. What is the next step
> needed to get this fix released as a backport? The .desktop security
> issue is widely know and can be exploited in the wild [1]. IMO this
> fixed should be made available as s
intrigeri:
> Control: tag -1 + security
>
> Donncha O'Cearbhaill:
>> Thank you Phil for providing a backport patch. What is the next step
>> needed to get this fix released as a backport? The .desktop security
>> issue is widely know and can be exploited in the wild [1]. IMO this
>> fixed should b
The upstream developer has now indicated that they will not be
backporting the fix to 3.22.x. They have a policy of not backporting
fixes which involve UI changes in stable branches.
Will Debian backport this issue themselves? I have requested a CVE which
I hope will help other distros to coordina
Is there anything that I can do to help get this backport patch
deployed? This issue can be exploited in the wild and I think it should
be fixed as soon as possible.
I am still waiting for a response for my CVE request.
On Thu, Sep 7, 2017 at 9:34 AM, Donncha O'Cearbhaill wrote:
> The upstream developer has now indicated that they will not be
> backporting the fix to 3.22.x. They have a policy of not backporting
> fixes which involve UI changes in stable branches.
>
> Will Debian backport this issue themselves? I
Jeremy Bicha:
>
> It's not just a UI change but a translatable string change. The new
> dialog that users will have to use to mark .desktop's as trusted will
> be untranslated.
>
> Therefore, if you want this feature, you will need to use Nautilus >=
> 3.24 which means you will need to upgrade to
On Wed, 2017-09-13 at 13:36 +, Donncha O'Cearbhaill wrote:
> Jeremy Bicha:
> >
> > It's not just a UI change but a translatable string change. The new
> > dialog that users will have to use to mark .desktop's as trusted will
> > be untranslated.
> >
> > Therefore, if you want this feature, yo
On Wed, 2017-09-13 at 15:30 +0100, Phil Wyett wrote:
> On Wed, 2017-09-13 at 13:36 +, Donncha O'Cearbhaill wrote:
> > Jeremy Bicha:
> > >
> > > It's not just a UI change but a translatable string change. The new
> > > dialog that users will have to use to mark .desktop's as trusted will
> > >
Phil Wyett:
>>
>> Hi,
>>
>> Please note that the debdiff I provided was essentially a raw backport for
>> testing and I thought it may have issues. It was never meant as a 'here it
>> is,
>> all done' patch ready for submission as a stable update.
>>
>> I am a little busy at the moment, but if I c
On Wed, 2017-09-13 at 15:32 +, Donncha O'Cearbhaill wrote:
> Phil Wyett:
> > >
> > > Hi,
> > >
> > > Please note that the debdiff I provided was essentially a raw backport for
> > > testing and I thought it may have issues. It was never meant as a 'here it
> > > is,
> > > all done' patch read
Phil Wyett:
> Please note that the debdiff I provided was essentially a raw backport for
> testing and I thought it may have issues. It was never meant as a 'here it is,
> all done' patch ready for submission as a stable update.
>
> I am a little busy at the moment, but if I can help here, I will.
It looks like I attached the wrong debdiff to my previous email. I have
attached the correct version now.
diff -Nru nautilus-3.22.3/debian/changelog nautilus-3.22.3/debian/changelog
--- nautilus-3.22.3/debian/changelog2017-03-09 02:39:58.0 +0100
+++ nautilus-3.22.3/debian/changelog2
CVE-2017-14604 has been issued for this vulnerability.
Phil Wyett:
> On Wed, 2017-09-13 at 15:32 +, Donncha O'Cearbhaill wrote:
>> Phil Wyett:
Hi,
Please note that the debdiff I provided was essentially a raw backport for
testing and I thought it may have issues. It was never meant as a 'here it
is,
all done' patc
On Wed, 2017-09-20 at 17:30 +, Donncha O'Cearbhaill wrote:
> Phil Wyett:
> > On Wed, 2017-09-13 at 15:32 +, Donncha O'Cearbhaill wrote:
> > > Phil Wyett:
> > > > >
> > > > > Hi,
> > > > >
> > > > > Please note that the debdiff I provided was essentially a raw backport
> > > > > for
> > >
Hi,
Now that the CVE (CVE-2017-14604) has been issued and this would (well, if it
ever does) pass into debian as a security update. I have updated the debdiff
accordingly. See attached.
Link to CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14604
If any tweaks need to be made. Pleas
Package: nautilus
Version: 3.22.3-1
There is a bug in Nautilus that makes it possible to disguise a
malicious script as an innocent document, like a PDF or ODT, that gets
executed when the user opens it.
The upstream nautilus issue [1] has already been resolved, and will be
released in nautilus 3
On Sat, 2017-09-23 at 01:38 +0100, Phil Wyett wrote:
> Hi Security Team,
> >
> > Please accept the attached 'nautilus' debdiff for stretch-security.
> >
> > Info:
> >
> > The debdiff is a backport of the fix from upstream[1] and includes
> > translations
> > for the UI changes.
> >
> > [1]:
>
On Thu, 2017-10-05 at 21:42 +0200, Yves-Alexis Perez wrote:
> On Sat, 2017-09-23 at 01:38 +0100, Phil Wyett wrote:
> > Hi Security Team,
> > >
> > > Please accept the attached 'nautilus' debdiff for stretch-security.
> > >
> > > Info:
> > >
> > > The debdiff is a backport of the fix from upstrea
On Sat, 2017-10-07 at 21:06 +0200, Yves-Alexis Perez wrote:
> On Thu, 2017-10-05 at 21:42 +0200, Yves-Alexis Perez wrote:
> > On Sat, 2017-09-23 at 01:38 +0100, Phil Wyett wrote:
> > > Hi Security Team,
> > > >
> > > > Please accept the attached 'nautilus' debdiff for stretch-security.
> > > >
>
On Wed, Oct 11, 2017 at 2:34 PM, Phil Wyett wrote:
> I have looked at both 'jessie' and 'wheezy'. Both are not affected by this
> specific issue and have mechanism(s) like stretch (with update) and newer
> versions of nautilus that display and require input when confronted with
> certain
> file t
28 matches
Mail list logo
