Bug#777079: jython: CVE-2013-2027
Markus Koschany
apo at gambaru.de
Wed Nov 18 22:42:04 UTC 2015
On Wed, 04 Feb 2015 21:09:40 +0100 Salvatore Bonaccorso
<carnil at debian.org> wrote:
> Source: jython
> Version: 2.5.2-1
> Severity: important
> Tags: security upstream
>
> Hi
>
> Several issues were mentioned in Red Hat Bugzilla at [0] referencing
> the issue which creates executables class files with wrong permissions
> with CVE-2013-2027.
>
> At least it seems present in the Debian package that the package
> writes to /usr/share. In the SuSE bugzilla[1] there are some links to
> fixes applied in SuSE[2].
>
> Could you please double-check the jython package in Debian?
>
> [0] https://bugzilla.redhat.com/show_bug.cgi?id=947949
> [1] https://bugzilla.novell.com/show_bug.cgi?id=916224
> [2] https://build.opensuse.org/request/show/284056
>
I had a look at this vulnerability but I couldn't reproduce the attack
vector described at
https://bugzilla.redhat.com/show_bug.cgi?id=947949
The file is still read-only for everyone and group owners.
The patches at
https://build.opensuse.org/request/show/284056
https://bugzilla.redhat.com/show_bug.cgi?id=947949
cannot be applied as is because we use a newer Jython version.
According to upstream
http://bugs.jython.org/issue2044
this issue appears to be resolved in version 2.7 but they give no
details whether this is fixed in the 2.5 series.
I suggest to keep the bug open until 2.7 is packaged but I don't think
this is an issue for Debian. More feedback is welcome.
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20151118/fc8543ac/attachment-0001.sig>
More information about the pkg-java-maintainers
mailing list