| 2009-01-28 06:14:58 |
Till Ulen |
bug |
|
|
added bug |
| 2009-01-28 06:15:22 |
Till Ulen |
who_made_private |
a-konovalenko |
|
|
| 2009-01-28 06:17:25 |
Till Ulen |
bug |
|
|
assigned to python2.4 (Ubuntu) |
| 2009-01-28 06:17:44 |
Till Ulen |
bug |
|
|
assigned to dia (Ubuntu) |
| 2009-01-28 06:18:09 |
Till Ulen |
bug |
|
|
assigned to epiphany (Ubuntu) |
| 2009-01-28 06:18:39 |
Till Ulen |
bug |
|
|
assigned to csound (Ubuntu) |
| 2009-01-28 06:19:05 |
Till Ulen |
bug |
|
|
assigned to eog (Ubuntu) |
| 2009-01-28 06:19:29 |
Till Ulen |
bug |
|
|
assigned to gedit (Ubuntu) |
| 2009-01-28 06:19:59 |
Till Ulen |
bug |
|
|
assigned to xchat (Ubuntu) |
| 2009-01-28 06:20:23 |
Till Ulen |
bug |
|
|
assigned to vim (Ubuntu) |
| 2009-01-28 06:20:51 |
Till Ulen |
bug |
|
|
assigned to nautilus (Ubuntu) |
| 2009-01-28 06:21:24 |
Till Ulen |
bug |
|
|
assigned to gnumeric (Ubuntu) |
| 2009-01-30 13:12:20 |
Till Ulen |
description |
Binary package hint: python2.5
There's an interesting bug (or feature?) in Python 2.5 and earlier that affects multiple applications using Python. The bug allows local or user-assisted remote arbitrary code execution. Here is the description of the Python CVE:
"Untrusted search path vulnerability in the PySys_SetArgv API function
in Python before 2.6 prepends an empty string to sys.path when the
argv[0] argument does not contain a path separator, which might allow
local users to execute arbitrary code via a Trojan horse Python file
in the current working directory."
Affected packages are, at least:
CVE-2008-4863 - Blender (already fixed in Ubuntu, I think)
CVE-2008-5983 - Python
CVE-2008-5984 - Dia
CVE-2008-5985 - Epiphany
CVE-2008-5986 - Csound
CVE-2008-5987 - eog
CVE-2009-0314 - gedit
CVE-2009-0315 - xchat
CVE-2009-0316 - vim
CVE-2009-0317 - Nautilus
CVE-2009-0318 - Gnumeric
I'm not sure which versions of these packages and which Ubuntu releases are actually affected, though.
Source and more information:
oss-security thread at http://www.openwall.com/lists/oss-security/2009/01/28/2 |
There's an interesting bug (or feature?) in Python 2.6 and earlier that affects multiple applications using Python. The bug allows local or user-assisted remote arbitrary code execution. Here is the description of the Python CVE:
"Untrusted search path vulnerability in the PySys_SetArgv API function
in Python before 2.6 prepends an empty string to sys.path when the
argv[0] argument does not contain a path separator, which might allow
local users to execute arbitrary code via a Trojan horse Python file
in the current working directory."
(Python 2.6 is vulnerable, too. See the comments.)
Affected packages are, at least:
CVE-2008-4863 - Blender (already fixed in Ubuntu, I think)
CVE-2008-5983 - Python
CVE-2008-5984 - Dia
CVE-2008-5985 - Epiphany
CVE-2008-5986 - Csound
CVE-2008-5987 - eog
CVE-2009-0314 - gedit
CVE-2009-0315 - xchat
CVE-2009-0316 - vim
CVE-2009-0317 - Nautilus
CVE-2009-0318 - Gnumeric
I'm not sure which versions of these packages and which Ubuntu releases are actually affected, though.
Source and more information:
oss-security thread at http://www.openwall.com/lists/oss-security/2009/01/28/2 |
|
| 2009-01-30 17:56:19 |
Jamie Strandboge |
csound: status |
New |
Confirmed |
|
| 2009-01-30 17:56:22 |
Jamie Strandboge |
csound: importance |
Undecided |
Low |
|
| 2009-01-30 17:56:28 |
Jamie Strandboge |
dia: status |
New |
Confirmed |
|
| 2009-01-30 17:56:33 |
Jamie Strandboge |
dia: importance |
Undecided |
Low |
|
| 2009-01-30 17:56:38 |
Jamie Strandboge |
eog: status |
New |
Confirmed |
|
| 2009-01-30 17:56:42 |
Jamie Strandboge |
eog: importance |
Undecided |
Low |
|
| 2009-01-30 17:56:47 |
Jamie Strandboge |
gedit: status |
New |
Confirmed |
|
| 2009-01-30 17:56:51 |
Jamie Strandboge |
gedit: importance |
Undecided |
Low |
|
| 2009-01-30 17:56:55 |
Jamie Strandboge |
gnumeric: status |
New |
Confirmed |
|
| 2009-01-30 17:57:00 |
Jamie Strandboge |
gnumeric: importance |
Undecided |
Low |
|
| 2009-01-30 17:57:07 |
Jamie Strandboge |
nautilus: status |
New |
Confirmed |
|
| 2009-01-30 17:57:10 |
Jamie Strandboge |
nautilus: importance |
Undecided |
Low |
|
| 2009-01-30 17:57:15 |
Jamie Strandboge |
python2.4: status |
New |
Confirmed |
|
| 2009-01-30 17:57:19 |
Jamie Strandboge |
python2.4: importance |
Undecided |
Low |
|
| 2009-01-30 17:57:28 |
Jamie Strandboge |
python2.5: status |
New |
Confirmed |
|
| 2009-01-30 17:57:30 |
Jamie Strandboge |
python2.5: importance |
Undecided |
Low |
|
| 2009-01-30 17:57:39 |
Jamie Strandboge |
xchat: status |
New |
Confirmed |
|
| 2009-01-30 17:57:43 |
Jamie Strandboge |
xchat: importance |
Undecided |
Low |
|
| 2009-01-30 17:57:49 |
Jamie Strandboge |
vim: status |
New |
Confirmed |
|
| 2009-01-30 17:57:51 |
Jamie Strandboge |
vim: importance |
Undecided |
Low |
|
| 2009-01-30 18:50:01 |
Jamie Strandboge |
epiphany: status |
New |
Invalid |
|
| 2009-01-30 18:50:01 |
Jamie Strandboge |
epiphany: statusexplanation |
|
|
|
| 2009-01-30 18:50:45 |
Jamie Strandboge |
bug |
|
|
assigned to epiphany-browser (Ubuntu) |
| 2009-01-30 18:51:11 |
Jamie Strandboge |
bug |
|
|
assigned to python2.3 (Ubuntu) |
| 2009-01-30 18:51:38 |
Jamie Strandboge |
epiphany-browser: status |
New |
Confirmed |
|
| 2009-01-30 18:53:13 |
Jamie Strandboge |
python2.3: status |
New |
Confirmed |
|
| 2009-01-30 18:57:18 |
Jamie Strandboge |
nautilus: bugtargetdisplayname |
nautilus (Ubuntu) |
nautilus-python (Ubuntu) |
|
| 2009-01-30 18:57:18 |
Jamie Strandboge |
nautilus: bugtargetname |
nautilus (Ubuntu) |
nautilus-python (Ubuntu) |
|
| 2009-01-30 18:57:18 |
Jamie Strandboge |
nautilus: statusexplanation |
|
|
|
| 2009-01-30 18:57:18 |
Jamie Strandboge |
nautilus: title |
Bug #322196 in nautilus (Ubuntu): "Untrusted search path vulnerability in Python and multiple other programs" |
Bug #322196 in nautilus-python (Ubuntu): "Untrusted search path vulnerability in Python and multiple other programs" |
|
| 2009-02-12 23:28:07 |
Sebastien Bacher |
gedit: status |
Confirmed |
Triaged |
|
| 2009-02-12 23:28:07 |
Sebastien Bacher |
gedit: assignee |
|
desktop-bugs |
|
| 2009-02-12 23:28:07 |
Sebastien Bacher |
gedit: statusexplanation |
|
|
|
| 2009-02-12 23:28:38 |
Sebastien Bacher |
bug |
|
|
assigned to gedit |
| 2009-03-10 01:24:37 |
Bug Watch Updater |
gedit: status |
Unknown |
New |
|
| 2009-04-04 14:40:15 |
Matthias Klose |
bug task added |
|
python2.6 (Ubuntu) |
|
| 2009-04-04 14:40:38 |
Matthias Klose |
python2.6 (Ubuntu): importance |
Undecided |
Low |
|
| 2009-04-04 14:40:38 |
Matthias Klose |
python2.6 (Ubuntu): status |
New |
Confirmed |
|
| 2009-04-04 14:41:09 |
Matthias Klose |
python2.3 (Ubuntu): status |
Confirmed |
Won't Fix |
|
| 2009-04-08 12:20:07 |
Launchpad Janitor |
gedit (Ubuntu): status |
Triaged |
Fix Released |
|
| 2009-04-08 12:32:14 |
Till Ulen |
removed subscriber Alexander Konovalenko |
|
|
|
| 2009-04-16 23:39:33 |
Kees Cook |
epiphany-browser (Ubuntu): importance |
Undecided |
Low |
|
| 2009-04-18 10:10:23 |
Alessio Treglia |
removed subscriber Alessio Treglia |
|
|
|
| 2009-12-02 09:12:10 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/gedit |
|
| 2010-03-05 06:29:07 |
Andreas J Guelzow |
gnumeric (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2010-05-30 18:12:55 |
Artur Rona |
description |
There's an interesting bug (or feature?) in Python 2.6 and earlier that affects multiple applications using Python. The bug allows local or user-assisted remote arbitrary code execution. Here is the description of the Python CVE:
"Untrusted search path vulnerability in the PySys_SetArgv API function
in Python before 2.6 prepends an empty string to sys.path when the
argv[0] argument does not contain a path separator, which might allow
local users to execute arbitrary code via a Trojan horse Python file
in the current working directory."
(Python 2.6 is vulnerable, too. See the comments.)
Affected packages are, at least:
CVE-2008-4863 - Blender (already fixed in Ubuntu, I think)
CVE-2008-5983 - Python
CVE-2008-5984 - Dia
CVE-2008-5985 - Epiphany
CVE-2008-5986 - Csound
CVE-2008-5987 - eog
CVE-2009-0314 - gedit
CVE-2009-0315 - xchat
CVE-2009-0316 - vim
CVE-2009-0317 - Nautilus
CVE-2009-0318 - Gnumeric
I'm not sure which versions of these packages and which Ubuntu releases are actually affected, though.
Source and more information:
oss-security thread at http://www.openwall.com/lists/oss-security/2009/01/28/2 |
There's an interesting bug (or feature?) in Python 2.6 and earlier that affects multiple applications using Python. The bug allows local or user-assisted remote arbitrary code execution. Here is the description of the Python CVE:
"Untrusted search path vulnerability in the PySys_SetArgv API function
in Python before 2.6 prepends an empty string to sys.path when the
argv[0] argument does not contain a path separator, which might allow
local users to execute arbitrary code via a Trojan horse Python file
in the current working directory."
(Python 2.6 is vulnerable, too. See the comments.)
Affected packages are, at least:
CVE-2008-4863 - Blender (already fixed in Ubuntu, I think)
CVE-2008-5983 - Python
CVE-2008-5984 - Dia
CVE-2008-5985 - Epiphany
CVE-2008-5986 - Csound
CVE-2008-5987 - eog
CVE-2009-0314 - gedit
CVE-2009-0315 - xchat
CVE-2009-0316 - vim
CVE-2009-0317 - Nautilus
CVE-2009-0318 - Gnumeric
I'm not sure which versions of these packages and which Ubuntu releases are actually affected, though.
Source and more information:
oss-security thread at http://www.openwall.com/lists/oss-security/2009/01/28/2
http://www.openwall.com/lists/oss-security/2009/01/26/2
|
|
| 2010-06-01 20:19:13 |
Launchpad Janitor |
branch linked |
|
lp:~ari-tczew/ubuntu/hardy/xchat/CVE-2009-0315 |
|
| 2010-06-03 13:33:09 |
Jan Claeys |
bug watch added |
|
http://bugs.python.org/issue5753 |
|
| 2010-06-03 13:47:31 |
Jan Claeys |
bug task added |
|
python |
|
| 2010-06-03 15:27:40 |
Bug Watch Updater |
python: status |
Unknown |
Fix Released |
|
| 2010-06-07 14:04:49 |
Marc Deslauriers |
xchat (Ubuntu): status |
Confirmed |
Fix Committed |
|
| 2010-06-07 14:05:14 |
Marc Deslauriers |
removed subscriber Ubuntu Security Sponsors Team |
|
|
|
| 2010-06-08 00:23:05 |
Launchpad Janitor |
xchat (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2010-06-08 00:33:17 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/hardy-security/xchat |
|
| 2010-07-23 11:06:32 |
Bug Watch Updater |
gedit: status |
New |
Fix Released |
|
| 2010-09-15 22:16:37 |
Bug Watch Updater |
gedit: importance |
Unknown |
Medium |
|
| 2011-04-27 15:45:23 |
Jamie Strandboge |
dia (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2011-04-27 15:46:52 |
Jamie Strandboge |
csound (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2011-04-27 15:47:20 |
Jamie Strandboge |
eog (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2011-04-27 15:48:15 |
Jamie Strandboge |
epiphany-browser (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2011-04-27 15:48:50 |
Jamie Strandboge |
nautilus-python (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2011-04-27 15:49:20 |
Jamie Strandboge |
vim (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2011-04-27 15:56:30 |
Jamie Strandboge |
python2.6 (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2015-05-03 13:14:34 |
dino99 |
python2.4 (Ubuntu): status |
Confirmed |
Invalid |
|
| 2015-05-03 13:14:52 |
dino99 |
python2.5 (Ubuntu): status |
Confirmed |
Invalid |
|
