Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 560530 (CVE-2015-0853) - <dev-python/pysvn-1.8.0: Insecure use of os.system() in Workbench (CVE-2015-0853)
Summary: <dev-python/pysvn-1.8.0: Insecure use of os.system() in Workbench (CVE-2015-0...
Alias: CVE-2015-0853
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [noglsa cve]
Depends on: 568392
  Show dependency tree
Reported: 2015-09-15 10:00 UTC by Agostino Sarubbo
Modified: 2016-12-05 01:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-09-15 10:00:21 UTC
From ${URL} :

A vulnerability in Workbench was found. If a user was tricked into using the "Command Shell" menu item while in a directory with a specially-crafted name, svn-workbench would execute arbitrary commands with the permissions of the user.

Reproducer available at:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Justin Lecher gentoo-dev 2015-12-17 10:47:29 UTC
@arches, please stabilize

Comment 2 Gabor Kovari 2015-12-19 09:29:53 UTC
amd64 : ok (builds)
Comment 3 Craig Inches 2015-12-19 15:14:56 UTC
Both Build OK on amd64
Basic functionality tested for pysvn
Comment 4 Agostino Sarubbo gentoo-dev 2015-12-24 20:12:24 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-12-25 18:21:02 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-12-26 12:04:09 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 7 Justin Lecher gentoo-dev 2015-12-26 17:59:32 UTC
commit 258b64db9acfdbc04832a6b3a316daa5824394b9
Author: Justin Lecher <>
Date:   Sat Dec 26 18:58:42 2015 +0100

    dev-python/pysvn: Drop vulnerable version for CVE-2015-0853



    Package-Manager: portage-2.2.26
    Signed-off-by: Justin Lecher <>
Comment 8 Thomas Deutschmann gentoo-dev Security 2016-12-02 15:20:59 UTC
@ Security: I think this bug should be closed as INVALID or at least OBSOLETE:

The vulnerable file was "Source/" which is not included in the python Extension for svn aka "pysvn".

Please see -- there are 3 different projects. Pysvn wasn't affected and didn't received a fix.

See for a list of change sets regarding the vulnerability in Workbench.