Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 257004 (CVE-2009-0314) - <app-editors/gedit-{2.22.3-r2,2.24.3} Untrusted search path vulnerability (CVE-2009-0314)
Summary: <app-editors/gedit-{2.22.3-r2,2.24.3} Untrusted search path vulnerability (CV...
Status: RESOLVED FIXED
Alias: CVE-2009-0314
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa]
Keywords:
Depends on: CVE-2008-5983
Blocks: gnome2.24
  Show dependency tree
 
Reported: 2009-01-30 22:48 UTC by Stefan Behte (RETIRED)
Modified: 2014-05-31 19:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-01-30 22:48:11 UTC 
CVE-2009-0314 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0314):
  Untrusted search path vulnerability in the Python module in gedit
  allows local users to execute arbitrary code via a Trojan horse
  Python file in the current working directory, related to a
  vulnerability in the PySys_SetArgv function (CVE-2008-5983).
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-01-30 23:41:03 UTC 
I am not sure whether this bug is being tracked upstream. Please see the blocker for details and a patch example.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-01-31 01:40:05 UTC 
upstream bug: http://bugzilla.gnome.org/show_bug.cgi?id=569214
Comment 3 Gilles Dartiguelongue (RETIRED) gentoo-dev 2009-03-16 21:50:54 UTC 
adapted upstream patch for 2.22.3 and committed as 2.22.3-r2. Sorry for taking so long. For testers, there is a file on the upstream bug to test if the issue is properly resolved.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-03-16 23:02:40 UTC 
Arches, please test and mark stable:
=app-editors/gedit-2.22.3-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"

OR

=app-editors/gedit-2.24.3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Already stabled : "amd64 ppc ppc64 x86"
Missing keywords: "alpha arm hppa ia64 sh sparc"
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2009-03-18 19:32:57 UTC 
=app-editors/gedit-2.22.3-r1 stable on alpha.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2009-03-20 15:23:50 UTC 
ia64/sparc stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2009-03-23 04:48:12 UTC 
Stable for HPPA.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-23 09:18:02 UTC 
GLSA request filed.
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-23 10:46:50 UTC 
Oops, looks like we need 2.22.3-r2 (read: revision two) stable.
sparc/hppa: Could you pretty please stable the correct ebuild once more? :)

On the other arches we have 2.24.3 stable so that shouldn't be a problem there.

Sorry for the noise!
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2009-03-27 21:43:11 UTC 
app-editors/gedit-2.24.3 will go stable for HPPA with the rest of gnome 2.24.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2009-03-27 21:43:56 UTC 
Hmm. Oh.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-30 21:51:34 UTC 
GLSA 200903-41
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2009-03-31 16:27:31 UTC 
Stable for HPPA.
Comment 14 Friedrich Oslage (RETIRED) gentoo-dev 2009-04-12 19:48:07 UTC 
sparc also stable for =app-editors/gedit-2.24.3
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2009-04-28 17:53:50 UTC 
arm/sh stable
Comment 16 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-14 07:35:35 UTC 
GLSA still unfixed...
Comment 17 Gilles Dartiguelongue (RETIRED) gentoo-dev 2011-04-11 09:37:37 UTC 
All affected ebuilds left the tree months ago.
Comment 18 Sean Amoss (RETIRED) gentoo-dev Security 2014-05-31 19:53:27 UTC 
There is really no point in fixing this GLSA since the upgrade paths are now all obsolete. Closing.