Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 560530 (CVE-2015-0853) - <dev-python/pysvn-1.8.0: Insecure use of os.system() in Workbench (CVE-2015-0853)
Summary: <dev-python/pysvn-1.8.0: Insecure use of os.system() in Workbench (CVE-2015-0...
Status: RESOLVED INVALID
Alias: CVE-2015-0853
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [noglsa cve]
Keywords:
Depends on: 568392
Blocks:
  Show dependency tree
 
Reported: 2015-09-15 10:00 UTC by Agostino Sarubbo
Modified: 2016-12-05 01:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-09-15 10:00:21 UTC
From ${URL} :

A vulnerability in Workbench was found. If a user was tricked into using the "Command Shell" menu item while in a directory with a specially-crafted name, svn-workbench would execute arbitrary commands with the permissions of the user.

Reproducer available at:

http://seclists.org/oss-sec/2015/q3/542


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Justin Lecher gentoo-dev 2015-12-17 10:47:29 UTC
@arches, please stabilize

dev-python/pycxx-6.2.6
dev-python/pysvn-1.8.0
Comment 2 Gabor Kovari 2015-12-19 09:29:53 UTC
amd64 : ok (builds)
Comment 3 Craig Inches 2015-12-19 15:14:56 UTC
Both Build OK on amd64
Basic functionality tested for pysvn
Comment 4 Agostino Sarubbo gentoo-dev 2015-12-24 20:12:24 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-12-25 18:21:02 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-12-26 12:04:09 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 7 Justin Lecher gentoo-dev 2015-12-26 17:59:32 UTC
commit 258b64db9acfdbc04832a6b3a316daa5824394b9
Author: Justin Lecher <jlec@gentoo.org>
Date:   Sat Dec 26 18:58:42 2015 +0100

    dev-python/pysvn: Drop vulnerable version for CVE-2015-0853

    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=560530

    obsoletes:
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=420191

    Package-Manager: portage-2.2.26
    Signed-off-by: Justin Lecher <jlec@gentoo.org>

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=258b64db9acfdbc04832a6b3a316daa5824394b9
Comment 8 Thomas Deutschmann gentoo-dev Security 2016-12-02 15:20:59 UTC
@ Security: I think this bug should be closed as INVALID or at least OBSOLETE:

The vulnerable file was "Source/wb_shell_unix_commands.py" which is not included in the python Extension for svn aka "pysvn".

Please see http://pysvn.tigris.org/project_source_code.html -- there are 3 different projects. Pysvn wasn't affected and didn't received a fix.

See http://pysvn.tigris.org/source/browse/pysvn/trunk/pysvn/WorkBench/Source/wb_shell_unix_commands.py?view=log for a list of change sets regarding the vulnerability in Workbench.