Viewing all changes in revision 15.
- Committer: Package Import Robot
- Date: 2015-03-19 18:38:23 UTC
- Revision ID: package-import@ubuntu.com-20150319183823-vdr6c21nwgu4aop5
[ Salvatore Bonaccorso <carnil@debian.org> ]
* Add patches for CVE-2014-8169 (Closes: #779591).
When a program map uses an interpreted languages like python it is
possible to load and execute arbitray code from a user home directory.
This is because the standard environment variables are used to locate
and load modules when using these languages. To avoid that, a prefix to
these environment names is added so that they aren't used for this
purpose. The prefix used is "AUTOFS_" and is not configurable.
Additionally a configuration option to force the use of program map
standard environment variables is added (FORCE_STANDARD_PROGRAM_MAP_ENV).
[ Dmitry Smirnov <onlyjob@debian.org> ]
* Refreshed other patches as needed.
* Add patches for CVE-2014-8169 (Closes: #779591).
When a program map uses an interpreted languages like python it is
possible to load and execute arbitray code from a user home directory.
This is because the standard environment variables are used to locate
and load modules when using these languages. To avoid that, a prefix to
these environment names is added so that they aren't used for this
purpose. The prefix used is "AUTOFS_" and is not configurable.
Additionally a configuration option to force the use of program map
standard environment variables is added (FORCE_STANDARD_PROGRAM_MAP_ENV).
[ Dmitry Smirnov <onlyjob@debian.org> ]
* Refreshed other patches as needed.
- files added:
- .pc/CVE-2014-8169-add-a-prefix-to-program-map-stdvars.patch
- .pc/CVE-2014-8169-add-a-prefix-to-program-map-stdvars.patch/include
- .pc/CVE-2014-8169-add-a-prefix-to-program-map-stdvars.patch/lib
- .pc/CVE-2014-8169-add-a-prefix-to-program-map-stdvars.patch/modules
- .pc/CVE-2014-8169-add-config-option-to-force-use-of-program-map-stdvars.patch
- .pc/CVE-2014-8169-add-config-option-to-force-use-of-program-map-stdvars.patch/include
- .pc/CVE-2014-8169-add-config-option-to-force-use-of-program-map-stdvars.patch/lib
- .pc/CVE-2014-8169-add-config-option-to-force-use-of-program-map-stdvars.patch/man
- .pc/CVE-2014-8169-add-config-option-to-force-use-of-program-map-stdvars.patch/modules
- .pc/CVE-2014-8169-add-config-option-to-force-use-of-program-map-stdvars.patch/samples
expand all
collapse all
added
removed
