LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: October 20th, 2014
Linux Advisory Watch: October 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Debian: 'python' Insecure tmp file vulnerability Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
Debian The bugfix we distributed in DSA 159-1 unfortunately caused Python tosometimes behave improperly when a non-executable file existed earlierin the path and an executable file of the same name existed later inthe path.

--------------------------------------------------------------------------
Debian Security Advisory DSA 159-2                     security@debian.org 
http://www.debian.org/security/ Martin Schulze
September 9th, 2002                      http://www.debian.org/security/faq
--------------------------------------------------------------------------

Package        : python
Vulnerability  : insecure temporary files
Problem-Type   : local
Debian-specific: no
BugTraq ID     : 5581

[The mail just sent was formatted like an attachment due to a
misconception on my side.  This mail is only the clearsign version. ]

The bugfix we distributed in DSA 159-1 unfortunately caused Python to
sometimes behave improperly when a non-executable file existed earlier
in the path and an executable file of the same name existed later in
the path.  Zack Weinberg fixed this in the Python source.  For
reference, here's the original advisory text:

    Zack Weinberg discovered an insecure use of a temporary file in
    os._execvpe from os.py. It uses a predictable name which could
    lead execution of arbitrary code.

This problem has been fixed in several versions of Python: For the
current stable distribution (woody) it has been fixed in version
1.5.2-23.2 of Python 1.5, in version 2.1.3-3.2 of Python 2.1 and in
version 2.2.1-4.2 of Python 2.2. For the old stable distribution
(potato) this has been fixed in version 1.5.2-10potato13 for Python
1.5. For the unstable distribution (sid) this has been fixed in
version 1.5.2-25 of Python 1.5, in version 2.1.3-9 of Python 2.1 and
in version 2.2.1-11 of Python 2.2. Python 2.3 is not affected by the
original problem.

We recommend that you upgrade your Python packages.


wget url
	will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
--------------------------------

  Source archives:

     http://security.debian.org/pool/updates/main/p/python/python_1.5.2-10potato13.dsc
Size/MD5 checksum:      814 15658c9064507f46d3074af59f7ad218
     http://security.debian.org/pool/updates/main/p/python/python_1.5.2-10potato13.diff.gz
Size/MD5 checksum:    85640 bd7d68152dfc35ea8d6b6e30a143a696
     http://security.debian.org/pool/updates/main/p/python/python_1.5.2.orig.tar.gz
Size/MD5 checksum:  2533053 e9d677ae6d5a3efc6937627ed8a3e752

  Alpha architecture:

     http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_alpha.deb
Size/MD5 checksum:   928808 add635f90434d2021887c36707a2f10c

  ARM architecture:

     http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_arm.deb
Size/MD5 checksum:   849298 f9cd68bfaa75b08e0462055c103c53fd

  Intel IA-32 architecture:

     http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_i386.deb
Size/MD5 checksum:   825292 3fd77f5f0f90ee904908c3af612b9268

  Motorola 680x0 architecture:

     http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_m68k.deb
Size/MD5 checksum:   837688 680297f46cc3ef0214206ece9fd24167

  PowerPC architecture:

     http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_powerpc.deb
Size/MD5 checksum:   872488 3b4d05433f2ad9e5b0182ade9edc24e5

  Sun Sparc architecture:

     http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_sparc.deb
Size/MD5 checksum:   854848 f6760252303686618726f6af12287eb6


Debian GNU/Linux 3.0 alias woody
--------------------------------

  Source archives:

     http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2.dsc
Size/MD5 checksum:      916 aa7b63a8384f37ce644d9bbc2c594a93
     http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2.diff.gz
Size/MD5 checksum:   147675 77e1702b4eaf9fde2316dface2bfb118
     http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2.orig.tar.gz
Size/MD5 checksum:  2533570 d9ade0d7613466e0353561d277ff02fe
     http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2.dsc
Size/MD5 checksum:     1283 9cf0222820b3730f885833949ee2752c
     http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2.diff.gz
Size/MD5 checksum:    70289 23bd09269b47d0c55815d738870f9f26
     http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3.orig.tar.gz
Size/MD5 checksum:  6194246 1ae739aa5824de263923df3516eeaf80
     http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2.dsc
Size/MD5 checksum:     1150 a4f837cbefd09fa2fb27b799811aacb1
     http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2.diff.gz
Size/MD5 checksum:    91722 d3ede617d5b8ddb4dd81e7735640000a
     http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1.orig.tar.gz
Size/MD5 checksum:  6536167 88aa07574673ccfaf35904253c78fc7d

  Alpha architecture:

     http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_alpha.deb
Size/MD5 checksum:   993478 b9b7799ff765a425926b2c56de13443c
     http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_alpha.deb
Size/MD5 checksum:  1804304 663466bd39741650c3dd9a49ca89d59a
     http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_alpha.deb
Size/MD5 checksum:  2139238 6b967a140b2a51d442cfb84891300414

  ARM architecture:

     http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_arm.deb
Size/MD5 checksum:   893374 f0c4f0f1c13146b226c9192aaa59e62b
     http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_arm.deb
Size/MD5 checksum:  1646606 4ad1516f1afae6f106c0c40a37d6fcdf
     http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_arm.deb
Size/MD5 checksum:  1952210 6c191ffb5b2d77c52c2cadbd20d1298c

  Intel IA-32 architecture:

     http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_i386.deb
Size/MD5 checksum:   865938 d3cf0730cc2529807ce59e68395e6396
     http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_i386.deb
Size/MD5 checksum:  1592166 059df3cfa844b25d292fdf9c1808c8d4
     http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_i386.deb
Size/MD5 checksum:  1888508 179880aa560f0b9ecf45cca8c57eb451

  Intel IA-64 architecture:

     http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_ia64.deb
Size/MD5 checksum:  1123834 0fe1e81eaeb6e51d73c4c86531c5c5f0
     http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_ia64.deb
Size/MD5 checksum:  2080790 88d771d8ea3f9289ea5b552ea9a01a99
     http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_ia64.deb
Size/MD5 checksum:  2489548 5d6abd03f4716986bd0ce4599a261297

  HP Precision architecture:

     http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_hppa.deb
Size/MD5 checksum:   983286 c4b39bb69d263d95832c2eb9cd34d11d
     http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_hppa.deb
Size/MD5 checksum:  1832650 bda1279f0bdb2056c30afe9913415bbf
     http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_hppa.deb
Size/MD5 checksum:  2356192 64fbb9fd51ea7f53e80ff32e11e89b80

  Motorola 680x0 architecture:

     http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_m68k.deb
Size/MD5 checksum:   880196 a61ba2de8d3056c252de513cf7b5d8ea
     http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_m68k.deb
Size/MD5 checksum:  1608796 da4e546766c589378e6117778ff9056a
     http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_m68k.deb
Size/MD5 checksum:  1894026 0ba9078d8e655ac3e2cb06b3c4761103

  Big endian MIPS architecture:

     http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_mips.deb
Size/MD5 checksum:   893284 f02223e7008b0395edad33a78ae030ac
     http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_mips.deb
Size/MD5 checksum:  1661254 2bf07b8f8aa5383873128029cb1a1d12
     http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_mips.deb
Size/MD5 checksum:  1952322 142f9fe7a1d68b076a44f70d003ba677

  Little endian MIPS architecture:

     http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_mipsel.deb
Size/MD5 checksum:   890812 ab02be8c8dac1dadafa0ad85a1e2d627
     http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_mipsel.deb
Size/MD5 checksum:  1657988 f05738ac39f731c38ae19b7223603e08
     http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_mipsel.deb
Size/MD5 checksum:  1947426 ccce0e16862734b23adc9bd4550c31fe

  PowerPC architecture:

     http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_powerpc.deb
Size/MD5 checksum:   913446 9a540b7ded9fbae1402f5afe14f359fc
     http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_powerpc.deb
Size/MD5 checksum:  1681254 314a5cf6599d88bce41c331ebe945059
     http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_powerpc.deb
Size/MD5 checksum:  1998856 11416c5e75b762bd33085d8966b9a126

  IBM S/390 architecture:

     http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_s390.deb
Size/MD5 checksum:   897150 7ffb4636cf3aa63060b107b2b21c2e31
     http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_s390.deb
Size/MD5 checksum:  1647976 e3ae48fcfc0e8960a3f78ba3b30e0a6c
     http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_s390.deb
Size/MD5 checksum:  1929358 05fe107035d278bbc4ba84f0503449d1

  Sun Sparc architecture:

     http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_sparc.deb
Size/MD5 checksum:   963064 6e271de84f9631e9994ae94b5f37e8a3
     http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_sparc.deb
Size/MD5 checksum:  1730934 b0b2279b6b86fe9dc9372934accc6f86
     http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_sparc.deb
Size/MD5 checksum:  2036598 4c96e6318184cf954299e5c7f7a8ba4b


  Please note that all python source packages produce more binary
  packages than the ones listed above.  They are not relevant for the
  fixed problems, though.

  These files will probably be moved into the stable distribution on
  its next revision.

---------------------------------------------------------------------------------
For apt-get: deb  http://security.debian.org/ stable/updates main
For dpkg-ftp:  ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and  http://packages.debian.org/




 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
USB is now UEC (use with extreme caution)
iPhone Encryption and the Return of the Crypto Wars
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.