Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 560530 (CVE-2015-0853)

Summary: <dev-python/pysvn-1.8.0: Insecure use of os.system() in Workbench (CVE-2015-0853)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: python, whissi
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1262928
Whiteboard: B2 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 568392    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2015-09-15 10:00:21 UTC 
From ${URL} :

A vulnerability in Workbench was found. If a user was tricked into using the "Command Shell" menu item while in a directory with a specially-crafted name, svn-workbench would execute arbitrary commands with the permissions of the user.

Reproducer available at:

http://seclists.org/oss-sec/2015/q3/542


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2015-12-17 10:47:29 UTC 
@arches, please stabilize

dev-python/pycxx-6.2.6
dev-python/pysvn-1.8.0
Comment 2 Gabor Kovari 2015-12-19 09:29:53 UTC 
amd64 : ok (builds)
Comment 3 Craig Inches 2015-12-19 15:14:56 UTC 
Both Build OK on amd64
Basic functionality tested for pysvn
Comment 4 Agostino Sarubbo gentoo-dev 2015-12-24 20:12:24 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-12-25 18:21:02 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-12-26 12:04:09 UTC 
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 7 Justin Lecher (RETIRED) gentoo-dev 2015-12-26 17:59:32 UTC 
commit 258b64db9acfdbc04832a6b3a316daa5824394b9
Author: Justin Lecher <jlec@gentoo.org>
Date:   Sat Dec 26 18:58:42 2015 +0100

    dev-python/pysvn: Drop vulnerable version for CVE-2015-0853

    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=560530

    obsoletes:
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=420191

    Package-Manager: portage-2.2.26
    Signed-off-by: Justin Lecher <jlec@gentoo.org>

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=258b64db9acfdbc04832a6b3a316daa5824394b9
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-02 15:20:59 UTC 
@ Security: I think this bug should be closed as INVALID or at least OBSOLETE:

The vulnerable file was "Source/wb_shell_unix_commands.py" which is not included in the python Extension for svn aka "pysvn".

Please see http://pysvn.tigris.org/project_source_code.html -- there are 3 different projects. Pysvn wasn't affected and didn't received a fix.

See http://pysvn.tigris.org/source/browse/pysvn/trunk/pysvn/WorkBench/Source/wb_shell_unix_commands.py?view=log for a list of change sets regarding the vulnerability in Workbench.