[Bug 1427742] Re: mate-menu package needs updating
Martin Wimpress
1427742 at bugs.launchpad.net
Fri Mar 6 09:48:16 UTC 2015
There is a Shell Command Injection vulnerability in the version of MATE
Menu currently residing in the official Ubuntu archive. This issue is
described here:
* https://bugs.launchpad.net/ubuntu-mate/+bug/1422402
mate-menu 5.6.2 directly addresses the issue above, but as you point out
was not released in Ubuntu. Should I change the entry for mate-menu
5.6.2 in the changelog to UNRELEASED?
However, after doing a code review I found other exploitable methods in
the package management features of MATE Menu.
So I started on mate-menu 5.6.3 and the following changes address the
other exploitable code.
+ Removed package management features.
+ Removed useless imports and dead code.
+ Refactored some os.system() calls to Pythonic equivalents.
Personally, I do not think a Menu should be trying to be a package
manager, certainly not one that is exploitable. Before removing those
features I consulted with the Ubuntu MATE community here:
* https://plus.google.com/103917631499285627130/posts/jkrMzsC3Brs
The message was clear, most people didn't know the package management
features existed and of those that did know about, they didn't use it.
So I took the decision to remove an insecure unused feature rather than
fix it.
I hope that explains my rationale.
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1427742
Title:
mate-menu package needs updating
Status in Ubuntu MATE:
New
Status in mate-menu package in Ubuntu:
New
Bug description:
A new version of mate-menu is available that adds translations and
also addresses shell command injection.
* https://bugs.launchpad.net/ubuntu-mate/+bug/1422402
The source for the packages are available from the following
repositories in the 'ubuntu/15.04' branch.
git clone https://alioth.debian.org/anonscm/git/pkg-mate/mate-menu.git
cd mate-menu
git checkout ubuntu/15.04
debian/rules get-orig-source
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1427742/+subscriptions
More information about the Ubuntu-sponsors
mailing list