Package: python-dbusmock / 0.11.4-1+deb8u1

Metadata

Package Version Patches format
python-dbusmock 0.11.4-1+deb8u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 SECURITY FIX Prevent code execution through crafted .patch | (download)

dbusmock/mockobject.py | 13 5 + 8 - 0 !
tests/test_api.py | 10 10 + 0 - 0 !
2 files changed, 15 insertions(+), 8 deletions(-)

 security fix: prevent code execution through crafted pyc files

When loading a template from an arbitrary file through the AddTemplate() D-Bus
method call or DBusTestCase.spawn_server_template() Python method, don't create
or use Python's *.pyc cached files.By tricking a user into loading a template
from a world-writable directory like /tmp, an attacker could run arbitrary code
with the user's privileges by putting a crafted .pyc file into that directory.

Note that this is highly unlikely to actually appear in practice as custom
dbusmock templates are usually shipped in project directories, not directly in
world-writable directories.

Thanks to Simon McVittie for discovering this!

LP: #1453815
CVE-2015-1326