CVE-2013-2027

NameCVE-2013-2027
DescriptionJython 2.2.1 uses the current umask to set the privileges of the class cache files, which allows local users to bypass intended access restrictions via unspecified vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs777079

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jython (PTS)jessie, jessie (lts)2.5.3-3+deb8u1vulnerable
stretch (security), stretch (lts), stretch2.5.3-16+deb9u1vulnerable
buster2.7.1+repack1-4~deb10u1fixed
bullseye2.7.2+repack1-3fixed
sid, trixie, bookworm2.7.3+repack1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jythonsourceexperimental2.7.0+repack-1
jythonsource(unstable)2.7.1+repack-1low777079

Notes

[stretch] - jython <ignored> (Minor issue)
[jessie] - jython <ignored> (Minor issue)
[wheezy] - jython <no-dsa> (Minor issue)
[squeeze] - jython <no-dsa> (Minor issue)
http://bugs.jython.org/issue2044
The original issue seem addressed in 2.7.0+repack-1, but still files
might be created/written to /usr/share/jython/cachedir/packages
which should not be in /usr beeing a cachedir.

Search for package or bug name: Reporting problems