-
Committer:
Package Import Robot
-
Author(s):
Dmitry Smirnov, Salvatore Bonaccorso, Dmitry Smirnov
-
Date:
2015-03-19 18:38:23 UTC
-
Revision ID:
package-import@ubuntu.com-20150319183823-vdr6c21nwgu4aop5
Tags: 5.0.8-2
[ Salvatore Bonaccorso <carnil@debian.org> ]
* Add patches for CVE-2014-8169 (Closes: #779591).
When a program map uses an interpreted languages like python it is
possible to load and execute arbitray code from a user home directory.
This is because the standard environment variables are used to locate
and load modules when using these languages. To avoid that, a prefix to
these environment names is added so that they aren't used for this
purpose. The prefix used is "AUTOFS_" and is not configurable.
Additionally a configuration option to force the use of program map
standard environment variables is added (FORCE_STANDARD_PROGRAM_MAP_ENV).
[ Dmitry Smirnov <onlyjob@debian.org> ]
* Refreshed other patches as needed.