r17380 - in /desktop/unstable/eog/debian: changelog patches/02_sanitize_sys.path.patch

manphiz-guest at users.alioth.debian.org manphiz-guest at users.alioth.debian.org
Thu Nov 6 01:32:21 UTC 2008 

Author: manphiz-guest
Date: Thu Nov  6 01:32:21 2008
New Revision: 17380

URL: http://svn.debian.org/wsvn/pkg-gnome/?sc=1&rev=17380
Log:
02_sanitize_sys.path.patch: fix possible security problem caused by
empty sys.path which allows the possibility to run arbitrary code by a
file matches the name of a python module in user's working directory.
Thanks James Vega <jamessan at debian.org> for the patch.
(Closes: #504352)

Added:
    desktop/unstable/eog/debian/patches/02_sanitize_sys.path.patch
Modified:
    desktop/unstable/eog/debian/changelog

Modified: desktop/unstable/eog/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/eog/debian/changelog?rev=17380&op=diff
==============================================================================
--- desktop/unstable/eog/debian/changelog (original)
+++ desktop/unstable/eog/debian/changelog Thu Nov  6 01:32:21 2008
@@ -1,3 +1,13 @@
+eog (2.22.3-2) UNRELEASED; urgency=high
+
+  * 02_sanitize_sys.path.patch: fix possible security problem caused by
+    empty sys.path which allows the possibility to run arbitrary code by a
+    file matches the name of a python module in user's working directory.
+    Thanks James Vega <jamessan at debian.org> for the patch.
+    (Closes: #504352)
+
+ -- Deng Xiyue <manphiz-guest at users.alioth.debian.org>  Thu, 06 Nov 2008 09:05:45 +0800
+
 eog (2.22.3-1) unstable; urgency=low
 
   [ Josselin Mouette ]

Added: desktop/unstable/eog/debian/patches/02_sanitize_sys.path.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/eog/debian/patches/02_sanitize_sys.path.patch?rev=17380&op=file
==============================================================================
--- desktop/unstable/eog/debian/patches/02_sanitize_sys.path.patch (added)
+++ desktop/unstable/eog/debian/patches/02_sanitize_sys.path.patch Thu Nov  6 01:32:21 2008
@@ -1,0 +1,12 @@
+--- a/src/eog-python-module.c
++++ b/src/eog-python-module.c
+@@ -388,6 +388,9 @@
+ 
+ 	PySys_SetArgv (1, argv);
+ 
++	/* Sanitize sys.path */
++	PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
++
+ 	if (!check_pygtk2 ()) {
+ 		/* Warning message already printed in check_pygtk2 */
+ 		goto python_init_error;

More information about the pkg-gnome-commits mailing list