[ubuntu/trusty-security] python-dbusmock 0.10.1-1ubuntu1 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Thu May 21 17:39:16 UTC 2015


python-dbusmock (0.10.1-1ubuntu1) trusty-security; urgency=medium

  * SECURITY FIX: When loading a template from an arbitrary file through the
    AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template()
    Python method, don't create or use Python's *.pyc cached files. By
    tricking a user into loading a template from a world-writable directory
    like /tmp, an attacker could run arbitrary code with the user's
    privileges by putting a crafted .pyc file into that directory.

    Note that this is highly unlikely to actually appear in practice as custom
    dbusmock templates are usually shipped in project directories, not
    directly in world-writable directories.
    (LP: #1453815, CVE-2015-1326)

Date: 2015-05-13 18:37:11.779498+00:00
Changed-By: Martin Pitt <martin.pitt at ubuntu.com>
Signed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/python-dbusmock/0.10.1-1ubuntu1
-------------- next part --------------
Sorry, changesfile not available.


More information about the Trusty-changes mailing list