CVE-2013-2027

NameCVE-2013-2027
DescriptionJython 2.2.1 uses the current umask to set the privileges of the class cache files, which allows local users to bypass intended access restrictions via unspecified vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: local)
Debian Bugs777079

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jython (PTS)wheezy2.5.2-1vulnerable
wheezy (security)2.5.2-1+deb7u1vulnerable
jessie (security), jessie2.5.3-3+deb8u1vulnerable
stretch (security), stretch2.5.3-16+deb9u1vulnerable
buster, sid2.7.1+repack-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jythonsource(unstable)2.7.1+repack-1low777079
jythonsourceexperimental2.7.0+repack-1medium

Notes

[stretch] - jython <ignored> (Minor issue)
[jessie] - jython <ignored> (Minor issue)
[wheezy] - jython <no-dsa> (Minor issue)
[squeeze] - jython <no-dsa> (Minor issue)
http://bugs.jython.org/issue2044
The original issue seem addressed in 2.7.0+repack-1, but still files
might be created/written to /usr/share/jython/cachedir/packages
which should not be in /usr beeing a cachedir.

Search for package or bug name: Reporting problems