Ubuntu
ajaxterm package

[MIR] ajaxterm

Bug #795159 reported by Chuck Short
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ajaxterm (Ubuntu)
Fix Released
Undecided
C de-Avillez

Bug Description

Binary package hint: ajaxterm

Availability: Currently in universe
Rationale: Dependency for nova, apart of the server-o-cobbler specification in order to get
nova, glance, and swift into main.
Security: Security history, CVE-2009-1629 fixed in oneoric.
Quality Assurance: Package works out of the box with no prompting. There is usablity bugs both in Debian and Ubuntu
Standards Compliance: FHS and Debian Policy compliant.
Maintenance: Simple python package that the Ubuntu Server Team will take care of.
Dependencies: All are in main except python-pysco which appears to be a pure virtual package.

Tags: server-o-mir

Related branches

lp:~hggdh2/ubuntu/oneiric/ajaxterm/bug795159
Kees Cook: Approve
Diff: 85 lines (+42/-2)
5 files modified
debian/changelog (+10/-0)
debian/control (+2/-1)
debian/patches/93_bug795159.diff (+18/-0)
debian/patches/series (+1/-0)
debian/rules (+11/-1)
lp:ubuntu/oneiric/ajaxterm
Michael Terry (mterry)
Changed in ajaxterm (Ubuntu):
assignee: nobody → Michael Terry (mterry)
Michael Terry (mterry)
Changed in ajaxterm (Ubuntu):
assignee: Michael Terry (mterry) → Kees Cook (kees)
Dave Walker (davewalker)
tags: added: server-o-mir
Revision history for this message
Kees Cook (kees) wrote :

The defaults are to use ssh to localhost host, and to only listen for connections on localhost. Using this without encryption would be considered a critical security issue, as it would expose the entire underlying SSH connection. As long as ajaxterm is never used in this way, I'm fine with including it.

Can you eliminate "usr/share/python" and it's entire tree? It doesn't seem to be needed. Additionally, can you see why the sys.path is adjusted at the start of ajaxterm.py itself? I don't think that should be needed and might be dangerous depending on how it is called.

Changed in ajaxterm (Ubuntu):
assignee: Kees Cook (kees) → nobody
status: New → Incomplete
Revision history for this message
C de-Avillez (hggdh2) wrote :

1. path adjustment: I see no reason for it -- the code goes this way:

 (...)
 20 os.chdir(os.path.normpath(os.path.dirname(__file__)))
 21 # Optional: Add QWeb in sys path
 22 sys.path[0:0]=glob.glob('../../python')
 23
 24 import qweb, codecs
(...)

the python script is located at /usr/share/ajaxterm/. There is no such directory (from the current path) as '../../python', so the 'glob.glob()' call returns an empty list. Additionally, qweb.py is in the same directory as the script. I am guessing this is a left-over.

Revision history for this message
C de-Avillez (hggdh2) wrote :

2. remove /ush/share/python/runtime.d -- I added a 'override_dh_auto_install' on debian/rules, removing the directory subtree.

Changed in ajaxterm (Ubuntu):
status: Incomplete → In Progress
assignee: nobody → C de-Avillez (hggdh2)
Revision history for this message
C de-Avillez (hggdh2) wrote :

Argh. After a lot of pain I found the correct place to override the ./python/runtime.d/ maintainer scripts -- just after dh_python2, on the build process.

I think it is right now, at least works for me.

Changed in ajaxterm (Ubuntu):
status: In Progress → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

Patch looks good, thanks!

Revision history for this message
Kees Cook (kees) wrote :

With these changes, I'm okay with the MIR. +1

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ajaxterm - 0.10-11ubuntu1

---------------
ajaxterm (0.10-11ubuntu1) oneiric; urgency=low

  * Resolutions for issues outlined in MIR (LP: #795159, Closes: 638332):
    + debian/patches/93_bug795159.diff: removed add to sys.path at beginning
      of the code (unneeded, potential security issue).
    + debian/rules: delete auto-installed /usr/share/python/runtime.d.
 -- C de-Avillez <email address hidden> Wed, 17 Aug 2011 12:29:51 -0500

Changed in ajaxterm (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Matthias Klose (doko) wrote :

2011-08-18 21:11:17 INFO Override Component to: 'main'
2011-08-18 21:11:17 INFO 'ajaxterm - 0.10-11ubuntu1/universe/web' source overridden
2011-08-18 21:11:18 INFO 'ajaxterm-0.10-11ubuntu1/universe/web/OPTIONAL' binary overridden in oneiric/amd64
2011-08-18 21:11:18 INFO 'ajaxterm-0.10-11ubuntu1/universe/web/OPTIONAL' binary overridden in oneiric/armel
2011-08-18 21:11:18 INFO 'ajaxterm-0.10-11ubuntu1/universe/web/OPTIONAL' binary overridden in oneiric/i386
2011-08-18 21:11:18 INFO 'ajaxterm-0.10-11ubuntu1/universe/web/OPTIONAL' binary overridden in oneiric/powerpc

Revision history for this message
Julien Valroff (julienv) wrote :

Hi,

Please note that ajaxterm hasn't been maintained upstream for some years (the original maintainer is unreachable).

As for your patch, while I totally agree as for the sys.path call, the runtime.d script is used in case of a default python runtime change (see Debian python policy section 1.6 : http://www.debian.org/doc/packaging-manuals/python-policy/ch-python.html#s-runtimes_hooks)

I'll thus only apply the first part of your patch to the Debian package (see Debian bug #638332), thanks for sharing it

Cheers,
Julien

Revision history for this message
Dave Walker (davewalker) wrote :

@Julien, Thanks for following up on this, it is most appreciated.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.