Gentoo Bug 257000 - <www-client/epiphany-2.22.3-r2 Untrusted search path vulnerability (CVE-2008-5985)

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bug#:	257000
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Stefan Behte <craig@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 257000 depends on:	256619		Show dependency tree
Bug 257000 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2009-01-30 22:30 0000

CVE-2008-5985 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5985):
  Untrusted search path vulnerability in the Python interface in
  Epiphany 2.22.3, and possibly other versions, allows local users to
  execute arbitrary code via a Trojan horse Python file in the current
  working directory, related to a vulnerability in the PySys_SetArgv
  function (CVE-2008-5983).

------- Comment #1 From Robert Buchholz 2009-01-30 23:41:08 0000 -------

I am not sure whether this bug is being tracked upstream. Please see the
blocker for details and a patch example.

------- Comment #2 From Robert Buchholz 2009-01-30 23:44:29 0000 -------

Debian patch:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=sanitize_sys.path.diff;att=1;bug=504363

------- Comment #3 From Daniel Gryniewicz 2009-02-24 16:59:47 0000 -------

2.22.3-r2 and 2.22.3-r12 are in the tree.

------- Comment #4 From Robert Buchholz 2009-02-25 17:11:24 0000 -------

Arches, please test and mark stable:
=www-client/epiphany-2.22.3-r2
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"

------- Comment #5 From Ferris McCormick 2009-02-25 18:31:03 0000 -------

Sparc stable, seems fine (tested with USE=xulrunner).

------- Comment #6 From Markus Meier 2009-02-25 20:04:16 0000 -------

amd64/x86 stable

------- Comment #7 From Raúl Porcel 2009-02-26 14:44:06 0000 -------

alpha/ia64 stable

------- Comment #8 From Jeroen Roovers 2009-02-26 16:21:23 0000 -------

Stable for HPPA.

------- Comment #9 From Brent Baude 2009-02-26 17:31:12 0000 -------

ppc and ppc64 done

------- Comment #10 From Robert Buchholz 2009-03-09 13:57:53 0000 -------

GLSA 200903-16

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bugzilla Bug 257000

<www-client/epiphany-2.22.3-r2 Untrusted search path vulnerability (CVE-2008-5985)

Last modified: 2009-03-09 13:57:53 0000