mate-menu package needs updating
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | ubuntu-mate |
Undecided
|
Unassigned | ||
| | mate-menu (Ubuntu) |
Wishlist
|
Unassigned | ||
Bug Description
A new version of mate-menu is available that adds translations and also addresses shell command injection.
* https:/
The source for the packages are available from the following repositories in the 'ubuntu/15.04' branch.
git clone https:/
cd mate-menu
git checkout ubuntu/15.04
debian/rules get-orig-source
| Martin Wimpress (flexiondotorg) wrote : | #2 |
There is a Shell Command Injection vulnerability in the version of MATE Menu currently residing in the official Ubuntu archive. This issue is described here:
* https:/
mate-menu 5.6.2 directly addresses the issue above, but as you point out was not released in Ubuntu. Should I change the entry for mate-menu 5.6.2 in the changelog to UNRELEASED?
However, after doing a code review I found other exploitable methods in the package management features of MATE Menu.
So I started on mate-menu 5.6.3 and the following changes address the other exploitable code.
+ Removed package management features.
+ Removed useless imports and dead code.
+ Refactored some os.system() calls to Pythonic equivalents.
Personally, I do not think a Menu should be trying to be a package manager, certainly not one that is exploitable. Before removing those features I consulted with the Ubuntu MATE community here:
* https:/
The message was clear, most people didn't know the package management features existed and of those that did know about, they didn't use it. So I took the decision to remove an insecure unused feature rather than fix it.
I hope that explains my rationale.
| Martin Wimpress (flexiondotorg) wrote : | #3 |
After discussing with Iain Lane I have consolidated the changelog entry, so the unreleased 5.6.2 version is no longer listed.
| Martin Wimpress (flexiondotorg) wrote : | #4 |
As requested by Didier Roche I have attached a debdiff for the change between 5.6.1 and 5.6.3.
| Didier Roche (didrocks) wrote : | #5 |
Perfect, looking good and sponsored, thanks! :)
| Changed in mate-menu (Ubuntu): | |
| status: | New → Fix Committed |
| Artur Rona (ari-tczew) wrote : | #6 |
mate-menu (5.6.3-0ubuntu1) vivid; urgency=medium
[ Martin Wimpress ]
* New upstream release.
+ Added translations.
+ Fixed shell code injection. Closes (LP: #1422402)
+ Removed package management features.
+ Removed useless imports and dead code.
+ Refactored some os.system() calls to Pythonic equivalents.
+ Refactored calls to the deprecated commands.
+ Removed unused icons.
+ Added a single, non-distro secific, icon for use everywhere.
+ Fixed lock screen.
* debian/copyright:
+ Remove COPYING from copyright.
+ Update copyright attribution for new mate-logo.svg.
+ Update copyright attribution for translators.
+ Remove obsolete entries from copyright.
[ Mike Gabriel ]
* debian/control:
+ Add to D (mate-menu): libglib2.0-bin (for glib-compile-schema in postinst
script). (Closes: #779102).
-- Martin Wimpress <email address hidden> Fri, 06 Mar 2015 22:03:23 +0000
| Changed in mate-menu (Ubuntu): | |
| importance: | Undecided → Wishlist |
| status: | Fix Committed → Fix Released |
| Changed in ubuntu-mate: | |
| status: | New → Fix Released |
mate-menu (5.6.2-0ubuntu1) vivid; urgency=medium is in changelog and doesn't appear to have been landed in vivid.
Also, I'm a bit concerned about what some of the entries mean in changelog:
+ + Removed package management features.
+ + Removed useless imports and dead code.
+ + Refactored some os.system() calls to Pythonic equivilents.
Given that it's past Feature Freeze, we need to make sure all the changes are indeed bugfixes, and removal of features sounds a bit like a feature :)