From ${URL} : A Debian bug report [1] indicated that catfish suffers from some bad logic when loading the catfish.py script from the /usr/bin/catfish script. This script intentionally looks to load catfish.py in the current working directory. If a user were to run catfish in an untrusted directory that contained a malicious catfish.py, that script would be executed with the privileges of the user running catfish. This script: #!/usr/bin/env bash APPNAME=catfish if [ -e $APPNAME.py ] then python $APPNAME.py "$@" else if [ -e $APPNAME.py ] then python $APPNAME.py "$@" else cd /usr/share/$APPNAME if [ -e $APPNAME.py ] then python $APPNAME.py "$@" else python $APPNAME.py "$@" fi fi fi should probably be: #!/bin/sh python /usr/share/catfish.py "$@" The rest is just development fluff and very poorly written. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739958 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-2096 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2096): Untrusted search path vulnerability in Catfish 0.6.0 through 1.0.0 allows local users to gain privileges via a Trojan horse bin/catfish.py under the current working directory. CVE-2014-2095 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2095): Untrusted search path vulnerability in Catfish 0.6.0 through 1.0.0, when a Fedora package such as 0.8.2-1 is not used, allows local users to gain privileges via a Trojan horse bin/catfish.pyc under the current working directory. CVE-2014-2094 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2094): Untrusted search path vulnerability in Catfish through 0.4.0.3, when a Fedora package such as 0.4.0.2-2 is not used, allows local users to gain privileges via a Trojan horse catfish.pyc in the current working directory. CVE-2014-2093 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2093): Untrusted search path vulnerability in Catfish through 0.4.0.3 allows local users to gain privileges via a Trojan horse catfish.py in the current working directory.
ping In the meantime, =dev-util/catfish-1.0.2 has been released. Please update. https://launchpad.net/catfish-search
*** Bug 518298 has been marked as a duplicate of this bug. ***
From ChangeLog file of catfish-1.0.2 tarball: v1.0.1: + Fix CVE-2014-2093 CVE-2014-2094 CVE-2014-2095 CVE-2014-2096 - Debian #739958 - Fedora #1069396 + Fix multiple-selection regression (lp: #1283726)
Please test and stabilize: =dev-util/catfish-1.0.2
(In reply to Samuli Suominen from comment #5) > Please test and stabilize: > > =dev-util/catfish-1.0.2 I'm gentoo newbie, so excuse me if following question is not relevant. To resolve dependency on pexpect for python 3.3 I had to use unstable pexpect (~amd64). So shouldn't this bug depend on Bug 506042 which is stabilization request for pexpect 3.0 compatible with python 3.3?
(In reply to Paweł Stankowski from comment #6) > So shouldn't this bug depend on Bug 506042 which is stabilization request > for pexpect 3.0 compatible with python 3.3? sure, you are right
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
GLSA vote: yes
Maintainer(s), please drop the vulnerable version. GLSA Vote: Yes Created a New GLSA request.
cleanup done, unCCing desktop-misc@, nothing left for us here
This issue was resolved and addressed in GLSA 201408-04 at http://security.gentoo.org/glsa/glsa-201408-04.xml by GLSA coordinator Mikle Kolyada (Zlogene).
