Bug#484305: PoC not working for bicyclerepair
Nico Golde
nion at debian.org
Mon Jul 7 17:11:10 UTC 2008
severity 484305 grave
thanks
Hi Thomas,
* Thomas Arendsen Hein <thomas at intevation.de> [2008-07-06 22:53]:
> * Steffen Joeris <steffen.joeris at skolelinux.de> [20080706 11:15]:
> > severity 484305 important
> > thanks
>
> Please do not downgrade severity without providing a reason.
"critical makes unrelated software on the system (or the whole system)
break, or causes serious data loss, or introduces a security
hole on systems where you install the package."
I had a look at the issue now and this is not the case
because you have to a) install vim-python and bicyclerepair
together and b) set vim.python as the vim alternative.
Thus downgrading this bug.
> As I
> wrote in my original report, this should not be less than "grave":
>
> | I set Severity to "critical" instead of "grave", because the user who
> | reported the traceback to me on a multi-user system does not use
> | bicyclerepair, but just vim. Reportbug forced me to set "root security
> | hole", because everyone using vim is affected (including root) and
> | the Justification 5 "unknown / something else" would downgrade the
> | Severity to "normal".
I think that this is more like a user security hole because
the security issue itself doesn't automatically result in
root access. root security hole fit better to issues
included in a daemon running as root for example. But I
doubt discussing this gets us anywhere and I personally
don't care about this tag in this case :)
[...]
> On etch:
>
> $ dpkg -l bicyclerepair|grep ^i
> ii bicyclerepair 0.9-4.1 A refactoring tool for python
>
> $ dpkg -L bicyclerepair|grep vim
> /usr/share/doc/bicyclerepair/README.vim
> /usr/share/vim
> /usr/share/vim/vim62
> /usr/share/vim/vim62/plugin
> /usr/share/vim/vim62/plugin/bike.vim
> /usr/share/vim/vim63
> /usr/share/vim/vim63/plugin
> /usr/share/vim/vim63/plugin/bike.vim
> /usr/share/vim/addons
> /usr/share/vim/addons/plugin
> /usr/share/vim/addons/plugin/bike.vim
>
> Maybe (I haven't verified) you need:
> /etc/alternatives/vim -> /usr/bin/vim.python
Indeed, this is needed (+ installation of vim-python).
So to sum up you need to install vim-python and set the
alternative to vim.python. I am not sure about the status of
this in unstable, at least I could not reproduce this on
unstable but vim.python is also no longer available there,
a lot in the vim structure changed since then and I don't
really have an idea about the scripting support of vim.
That's why I Cc'ed the vim maintainers. Do you think this
should also work in the same way in unstable/testing?
I am also not really sure what is causing the automatic
import.
To reproduce this on stable:
cd /tmp && apt-get source roundup && roundup-1.2.1/roundup/
apt-get install vim-python bicyclerepair
update-alternatives --set vim /usr/bin/vim.python
and edit some random file (e.g. vim /tmp/foobar).
I found out that the file that causes this is token.py in
the roundup sources. Another way to reproduce this would be
to create a file named fcntl:
cat >> fcntl.py << EOF
print "FOOOOBAR"
EOF
This file is also automatically imported besides the files
bike.py, compiler.py, parser.py, symbol.py, token.py, struct.py
cStringIO.py, dis.py, opcode.py, new.py, re.py, sre.py
sre_compile.py, sre_constants.py, sre_parse.py, __future__.py
string.py, strop.py, tempfile.py, random.py, math.py, binascii.py
_random.py and fcntl.py
Something should prepend '.' to syspath but I don't see
anything doing this :/
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20080707/7fe8bf6d/attachment.pgp
More information about the pkg-vim-maintainers
mailing list