Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 500244 (CVE-2013-7323) - <dev-python/python-gnupg-0.3.6: shell injection vulnerability (CVE-2013-7323, CVE-2014-{1927, 1928})
Summary: <dev-python/python-gnupg-0.3.6: shell injection vulnerability (CVE-2013-7323,...
Status: RESOLVED FIXED
Alias: CVE-2013-7323
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://code.google.com/p/python-gnup...
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-04 08:56 UTC by Hanno Böck
Modified: 2014-05-21 03:10 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2014-02-04 08:56:49 UTC
The changelog for python-gnupg 0.3.5 lists this:
"Added improved shell quoting to guard against shell injection."

No details give, but it sounds like a pretty severe security issue. Please bump.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2014-02-04 13:53:20 UTC
Guessing this one as user-assisted ACE, B2.
Comment 2 Hanno Böck gentoo-dev 2014-02-04 20:29:00 UTC
It was noted on oss-security that the fix in the 0.3.5 release is incomplete. This bug tracks upstream progress on really fixing the issue:
https://code.google.com/p/python-gnupg/issues/detail?id=98#c4
Comment 3 Hanno Böck gentoo-dev 2014-02-06 08:53:37 UTC
0.3.6 released upstream, with (hopefully) complete fix for the issue. Please bump.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-02-11 00:02:56 UTC
Does this Version in tree contain the fix and if so are we ready for stabilization?

*python-gnupg-0.3.6 (10 Feb 2014)
6	
7	  10 Feb 2014; Tim Harder <radhermit@gentoo.org> +python-gnupg-0.3.6.ebuild,
8	  +files/python-gnupg-0.3.6-skip-search-keys-tests.patch:
9	  Version bump.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-02-11 00:03:54 UTC
(In reply to Yury German from comment #4)
> Does this Version in tree contain the fix and if so are we ready for
> stabilization?

OOPS Please ignore stabilization comment (did not remove from paste).

> 
> *python-gnupg-0.3.6 (10 Feb 2014)
> 6	
> 7	  10 Feb 2014; Tim Harder <radhermit@gentoo.org>
> +python-gnupg-0.3.6.ebuild,
> 8	  +files/python-gnupg-0.3.6-skip-search-keys-tests.patch:
> 9	  Version bump.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-02-14 18:04:19 UTC
Changing to ~2 as this was never stable.

Fix would be in 0.3.6 upstream.

Maintainer(s), please drop the vulnerable version.

No stable versions, no GLSA Required.
Comment 7 Ian Delaney (RETIRED) gentoo-dev 2014-03-25 11:43:50 UTC
(In reply to Yury German from comment #6)
> Changing to ~2 as this was never stable.
> 
> Fix would be in 0.3.6 upstream.
> 
> Maintainer(s), please drop the vulnerable version.
> 
> No stable versions, no GLSA Required.

The version 0.3.5 was NEVER in portage and so we CAN'T drop it.  I think this bug is closable.
Comment 8 Hanno Böck gentoo-dev 2014-03-25 12:08:48 UTC
> The version 0.3.5 was NEVER in portage and so we CAN'T drop it.  I think
> this bug is closable.

To make things clear: we are talking about two issues here.
The first one affects all previous versions, so 0.3.1 and 0.3.2 are affected and should be removed from portage. The second one was an incomplete fix in 0.3.5 and thus is mostly irrelevant for us, as we don't ship that.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2014-03-25 13:40:07 UTC
Thank you for clarification..

Waiting for cleanup on 0.3.2 & 0.3.1-r1, before closing. No change to GLSA status as both are not stable.
Comment 10 Ian Delaney (RETIRED) gentoo-dev 2014-03-25 14:26:11 UTC
(In reply to Hanno Boeck from comment #8)
> > The version 0.3.5 was NEVER in portage and so we CAN'T drop it.  I think
> > this bug is closable.
> 
> To make things clear: we are talking about two issues here.
> The first one affects all previous versions, so 0.3.1 and 0.3.2 are affected
> and should be removed from portage. The second one was an incomplete fix in
> 0.3.5 and thus is mostly irrelevant for us, as we don't ship that.

right. done

  25 Mar 2014; Ian Delaney <idella4@gentoo.org> -python-gnupg-0.3.1-r1.ebuild,
  -python-gnupg-0.3.2.ebuild:
  rm old versions wrt sec Bug #500244 by hanno
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2014-05-21 03:10:16 UTC
Maintainer(s), Thank you for cleanup!

No GLSA needed as there are no stable versions.