Bug#484305: PoC not working for bicyclerepair

Nico Golde nion at debian.org
Mon Jul 7 17:11:10 UTC 2008


severity 484305 grave
thanks

Hi Thomas,
* Thomas Arendsen Hein <thomas at intevation.de> [2008-07-06 22:53]:
> * Steffen Joeris <steffen.joeris at skolelinux.de> [20080706 11:15]:
> > severity 484305 important
> > thanks
> 
> Please do not downgrade severity without providing a reason.

"critical makes unrelated software on the system (or the whole system) 
break, or causes serious data loss, or introduces a security 
hole on systems where you install the package."

I had a look at the issue now and this is not the case 
because you have to a) install vim-python and bicyclerepair 
together and b) set vim.python as the vim alternative.
Thus downgrading this bug.

> As I
> wrote in my original report, this should not be less than "grave":
> 
> | I set Severity to "critical" instead of "grave", because the user who
> | reported the traceback to me on a multi-user system does not use
> | bicyclerepair, but just vim. Reportbug forced me to set "root security
> | hole", because everyone using vim is affected (including root) and
> | the Justification 5 "unknown / something else" would downgrade the
> | Severity to "normal".

I think that this is more like a user security hole because 
the security issue itself doesn't automatically result in 
root access. root security hole fit better to issues 
included in a daemon running as root for example. But I 
doubt discussing this gets us anywhere and I personally 
don't care about this tag in this case :)

[...] 
> On etch:
> 
> $ dpkg -l bicyclerepair|grep ^i
> ii  bicyclerepair       0.9-4.1             A refactoring tool for python
> 
> $ dpkg -L bicyclerepair|grep vim
> /usr/share/doc/bicyclerepair/README.vim
> /usr/share/vim
> /usr/share/vim/vim62
> /usr/share/vim/vim62/plugin
> /usr/share/vim/vim62/plugin/bike.vim
> /usr/share/vim/vim63
> /usr/share/vim/vim63/plugin
> /usr/share/vim/vim63/plugin/bike.vim
> /usr/share/vim/addons
> /usr/share/vim/addons/plugin
> /usr/share/vim/addons/plugin/bike.vim
> 
> Maybe (I haven't verified) you need:
> /etc/alternatives/vim -> /usr/bin/vim.python

Indeed, this is needed (+ installation of vim-python).
So to sum up you need to install vim-python and set the 
alternative to vim.python. I am not sure about the status of 
this in unstable, at least I could not reproduce this on 
unstable but vim.python is also no longer available there, 
a lot in the vim structure changed since then and I don't 
really have an idea about the scripting support of vim.

That's why I Cc'ed the vim maintainers. Do you think this 
should also work in the same way in unstable/testing?
I am also not really sure what is causing the automatic 
import.

To reproduce this on stable:
cd /tmp && apt-get source roundup && roundup-1.2.1/roundup/
apt-get install vim-python bicyclerepair
update-alternatives --set vim /usr/bin/vim.python
and edit some random file (e.g. vim /tmp/foobar).

I found out that the file that causes this is token.py in 
the roundup sources. Another way to reproduce this would be
to create a file named fcntl:

cat >> fcntl.py << EOF
print "FOOOOBAR"
EOF

This file is also automatically imported besides the files
bike.py, compiler.py, parser.py, symbol.py, token.py, struct.py 
cStringIO.py, dis.py, opcode.py, new.py, re.py, sre.py 
sre_compile.py, sre_constants.py, sre_parse.py, __future__.py 
string.py, strop.py, tempfile.py, random.py, math.py, binascii.py 
_random.py and fcntl.py


Something should prepend '.' to syspath but I don't see 
anything doing this :/

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20080707/7fe8bf6d/attachment.pgp 


More information about the pkg-vim-maintainers mailing list