From ${URL} : A vulnerability in Workbench was found. If a user was tricked into using the "Command Shell" menu item while in a directory with a specially-crafted name, svn-workbench would execute arbitrary commands with the permissions of the user. Reproducer available at: http://seclists.org/oss-sec/2015/q3/542 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
@arches, please stabilize dev-python/pycxx-6.2.6 dev-python/pysvn-1.8.0
amd64 : ok (builds)
Both Build OK on amd64 Basic functionality tested for pysvn
amd64 stable
x86 stable
ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
commit 258b64db9acfdbc04832a6b3a316daa5824394b9 Author: Justin Lecher <jlec@gentoo.org> Date: Sat Dec 26 18:58:42 2015 +0100 dev-python/pysvn: Drop vulnerable version for CVE-2015-0853 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=560530 obsoletes: Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=420191 Package-Manager: portage-2.2.26 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=258b64db9acfdbc04832a6b3a316daa5824394b9
@ Security: I think this bug should be closed as INVALID or at least OBSOLETE: The vulnerable file was "Source/wb_shell_unix_commands.py" which is not included in the python Extension for svn aka "pysvn". Please see http://pysvn.tigris.org/project_source_code.html -- there are 3 different projects. Pysvn wasn't affected and didn't received a fix. See http://pysvn.tigris.org/source/browse/pysvn/trunk/pysvn/WorkBench/Source/wb_shell_unix_commands.py?view=log for a list of change sets regarding the vulnerability in Workbench.
