[Bug 1427742] Re: mate-menu package needs updating

Martin Wimpress 1427742 at bugs.launchpad.net
Fri Mar 6 09:48:16 UTC 2015 

There is a Shell Command Injection vulnerability in the version of MATE
Menu currently residing in the official Ubuntu archive. This issue is
described here:

  * https://bugs.launchpad.net/ubuntu-mate/+bug/1422402

mate-menu 5.6.2 directly addresses the issue above, but as you point out
was not released in Ubuntu. Should I change the entry for mate-menu
5.6.2 in the changelog to UNRELEASED?

However, after doing a code review I found other exploitable methods in
the package management features of MATE Menu.

So I started on mate-menu 5.6.3 and the following changes address the
other exploitable code.

  + Removed package management features.
  + Removed useless imports and dead code.
  + Refactored some os.system() calls to Pythonic equivalents.

Personally, I do not think a Menu should be trying to be a package
manager, certainly not one that is exploitable. Before removing those
features I consulted with the Ubuntu MATE community here:

  * https://plus.google.com/103917631499285627130/posts/jkrMzsC3Brs

The message was clear, most people didn't know the package management
features existed and of those that did know about, they didn't use it.
So I took the decision to remove an insecure unused feature rather than
fix it.

I hope that explains my rationale.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1427742

Title:
  mate-menu package needs updating

Status in Ubuntu MATE:
  New
Status in mate-menu package in Ubuntu:
  New

Bug description:
  A new version of mate-menu is available that adds translations and
  also addresses shell command injection.

    * https://bugs.launchpad.net/ubuntu-mate/+bug/1422402

  The source for the packages are available from the following
  repositories in the 'ubuntu/15.04' branch.

    git clone https://alioth.debian.org/anonscm/git/pkg-mate/mate-menu.git
    cd mate-menu
    git checkout ubuntu/15.04
    debian/rules get-orig-source

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1427742/+subscriptions

More information about the Ubuntu-sponsors mailing list