|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 159-2 security@debian.org http://www.debian.org/security/ Martin Schulze September 9th, 2002 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : python Vulnerability : insecure temporary files Problem-Type : local Debian-specific: no BugTraq ID : 5581 [The mail just sent was formatted like an attachment due to a misconception on my side. This mail is only the clearsign version. ] The bugfix we distributed in DSA 159-1 unfortunately caused Python to sometimes behave improperly when a non-executable file existed earlier in the path and an executable file of the same name existed later in the path. Zack Weinberg fixed this in the Python source. For reference, here's the original advisory text: Zack Weinberg discovered an insecure use of a temporary file in os._execvpe from os.py. It uses a predictable name which could lead execution of arbitrary code. This problem has been fixed in several versions of Python: For the current stable distribution (woody) it has been fixed in version 1.5.2-23.2 of Python 1.5, in version 2.1.3-3.2 of Python 2.1 and in version 2.2.1-4.2 of Python 2.2. For the old stable distribution (potato) this has been fixed in version 1.5.2-10potato13 for Python 1.5. For the unstable distribution (sid) this has been fixed in version 1.5.2-25 of Python 1.5, in version 2.1.3-9 of Python 2.1 and in version 2.2.1-11 of Python 2.2. Python 2.3 is not affected by the original problem. We recommend that you upgrade your Python packages. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/p/python/python_1.5.2-10potato13.dsc Size/MD5 checksum: 814 15658c9064507f46d3074af59f7ad218 http://security.debian.org/pool/updates/main/p/python/python_1.5.2-10potato13.diff.gz Size/MD5 checksum: 85640 bd7d68152dfc35ea8d6b6e30a143a696 http://security.debian.org/pool/updates/main/p/python/python_1.5.2.orig.tar.gz Size/MD5 checksum: 2533053 e9d677ae6d5a3efc6937627ed8a3e752 Alpha architecture: http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_alpha.deb Size/MD5 checksum: 928808 add635f90434d2021887c36707a2f10c ARM architecture: http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_arm.deb Size/MD5 checksum: 849298 f9cd68bfaa75b08e0462055c103c53fd Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_i386.deb Size/MD5 checksum: 825292 3fd77f5f0f90ee904908c3af612b9268 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_m68k.deb Size/MD5 checksum: 837688 680297f46cc3ef0214206ece9fd24167 PowerPC architecture: http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_powerpc.deb Size/MD5 checksum: 872488 3b4d05433f2ad9e5b0182ade9edc24e5 Sun Sparc architecture: http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_sparc.deb Size/MD5 checksum: 854848 f6760252303686618726f6af12287eb6 Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2.dsc Size/MD5 checksum: 916 aa7b63a8384f37ce644d9bbc2c594a93 http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2.diff.gz Size/MD5 checksum: 147675 77e1702b4eaf9fde2316dface2bfb118 http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2.orig.tar.gz Size/MD5 checksum: 2533570 d9ade0d7613466e0353561d277ff02fe http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2.dsc Size/MD5 checksum: 1283 9cf0222820b3730f885833949ee2752c http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2.diff.gz Size/MD5 checksum: 70289 23bd09269b47d0c55815d738870f9f26 http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3.orig.tar.gz Size/MD5 checksum: 6194246 1ae739aa5824de263923df3516eeaf80 http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2.dsc Size/MD5 checksum: 1150 a4f837cbefd09fa2fb27b799811aacb1 http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2.diff.gz Size/MD5 checksum: 91722 d3ede617d5b8ddb4dd81e7735640000a http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1.orig.tar.gz Size/MD5 checksum: 6536167 88aa07574673ccfaf35904253c78fc7d Alpha architecture: http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_alpha.deb Size/MD5 checksum: 993478 b9b7799ff765a425926b2c56de13443c http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_alpha.deb Size/MD5 checksum: 1804304 663466bd39741650c3dd9a49ca89d59a http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_alpha.deb Size/MD5 checksum: 2139238 6b967a140b2a51d442cfb84891300414 ARM architecture: http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_arm.deb Size/MD5 checksum: 893374 f0c4f0f1c13146b226c9192aaa59e62b http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_arm.deb Size/MD5 checksum: 1646606 4ad1516f1afae6f106c0c40a37d6fcdf http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_arm.deb Size/MD5 checksum: 1952210 6c191ffb5b2d77c52c2cadbd20d1298c Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_i386.deb Size/MD5 checksum: 865938 d3cf0730cc2529807ce59e68395e6396 http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_i386.deb Size/MD5 checksum: 1592166 059df3cfa844b25d292fdf9c1808c8d4 http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_i386.deb Size/MD5 checksum: 1888508 179880aa560f0b9ecf45cca8c57eb451 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_ia64.deb Size/MD5 checksum: 1123834 0fe1e81eaeb6e51d73c4c86531c5c5f0 http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_ia64.deb Size/MD5 checksum: 2080790 88d771d8ea3f9289ea5b552ea9a01a99 http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_ia64.deb Size/MD5 checksum: 2489548 5d6abd03f4716986bd0ce4599a261297 HP Precision architecture: http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_hppa.deb Size/MD5 checksum: 983286 c4b39bb69d263d95832c2eb9cd34d11d http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_hppa.deb Size/MD5 checksum: 1832650 bda1279f0bdb2056c30afe9913415bbf http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_hppa.deb Size/MD5 checksum: 2356192 64fbb9fd51ea7f53e80ff32e11e89b80 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_m68k.deb Size/MD5 checksum: 880196 a61ba2de8d3056c252de513cf7b5d8ea http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_m68k.deb Size/MD5 checksum: 1608796 da4e546766c589378e6117778ff9056a http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_m68k.deb Size/MD5 checksum: 1894026 0ba9078d8e655ac3e2cb06b3c4761103 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_mips.deb Size/MD5 checksum: 893284 f02223e7008b0395edad33a78ae030ac http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_mips.deb Size/MD5 checksum: 1661254 2bf07b8f8aa5383873128029cb1a1d12 http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_mips.deb Size/MD5 checksum: 1952322 142f9fe7a1d68b076a44f70d003ba677 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_mipsel.deb Size/MD5 checksum: 890812 ab02be8c8dac1dadafa0ad85a1e2d627 http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_mipsel.deb Size/MD5 checksum: 1657988 f05738ac39f731c38ae19b7223603e08 http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_mipsel.deb Size/MD5 checksum: 1947426 ccce0e16862734b23adc9bd4550c31fe PowerPC architecture: http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_powerpc.deb Size/MD5 checksum: 913446 9a540b7ded9fbae1402f5afe14f359fc http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_powerpc.deb Size/MD5 checksum: 1681254 314a5cf6599d88bce41c331ebe945059 http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_powerpc.deb Size/MD5 checksum: 1998856 11416c5e75b762bd33085d8966b9a126 IBM S/390 architecture: http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_s390.deb Size/MD5 checksum: 897150 7ffb4636cf3aa63060b107b2b21c2e31 http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_s390.deb Size/MD5 checksum: 1647976 e3ae48fcfc0e8960a3f78ba3b30e0a6c http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_s390.deb Size/MD5 checksum: 1929358 05fe107035d278bbc4ba84f0503449d1 Sun Sparc architecture: http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_sparc.deb Size/MD5 checksum: 963064 6e271de84f9631e9994ae94b5f37e8a3 http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_sparc.deb Size/MD5 checksum: 1730934 b0b2279b6b86fe9dc9372934accc6f86 http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_sparc.deb Size/MD5 checksum: 2036598 4c96e6318184cf954299e5c7f7a8ba4b Please note that all python source packages produce more binary packages than the ones listed above. They are not relevant for the fixed problems, though. These files will probably be moved into the stable distribution on its next revision. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9fL7bW5ql+IAeqTIRArsdAJ9/fnpXoqvOPPjvIBTOrzLYi5gvZgCfY+mf XgSlnEIwGp4jaXLdVQY5VyE= =iK9B -----END PGP SIGNATURE-----