Active Topics
-
Is there a section to talk about Java ME? Apps, etc. (0)
to General by Kalatti - 12 hrs, 11 mins ago -
Extra softwares in Sailfish using CLI, repositories, etc (117)
to SailfishOS by nieldk - 2 days, 9 hrs ago -
Firefox with Leste (6)
to Maemo 7 / Leste by teroyk - 3 days, 5 hrs ago - more...
|
2014-06-19
, 17:11
|
|
Posts: 2,153 |
Thanked: 8,462 times |
Joined on May 2010
|
#402
|
Give me output of sysinfo-tool -g /device/sw-release-ver
Also are you sure that you did not have unknown before updating?
Also are you sure that you did not have unknown before updating?
|
|
2014-06-19
, 17:13
|
|
Posts: 3,074 |
Thanked: 12,960 times |
Joined on Mar 2010
@ Sofia,Bulgaria
|
#403
|
@pali: I think this https://gitorious.org/community-ssu/...uctinfo.c#L593 should be #if 0
__________________
Never fear. I is here.
720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900
Community SSU developer
kernel-power developer and maintainer
Never fear. I is here.
720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900
Community SSU developer
kernel-power developer and maintainer
| The Following User Says Thank You to freemangordon For This Useful Post: | ||
 |
|
2014-06-19
, 17:18
|
|
Posts: 439 |
Thanked: 282 times |
Joined on Oct 2012
|
#404
|
Originally Posted by pali
the command doesn't output anything , and no , the version string was displayed before update and reboot
Give me output of sysinfo-tool -g /device/sw-release-ver
Also are you sure that you did not have unknown before updating?
__________________
N900 Beast featuring :
8GB OPTFS@ext4(*performance mount options)
overclock: cpu[125 - 1,150(*VDD1)+Dsp overclock
CSSU-T latest version
N900 Beast featuring :8GB OPTFS@ext4(*performance mount options)
overclock: cpu[125 - 1,150(*VDD1)+Dsp overclock
CSSU-T latest version
|
|
2014-06-19
, 17:28
|
|
Posts: 2,290 |
Thanked: 4,133 times |
Joined on Apr 2010
@ UK
|
#405
|
Originally Posted by Alecsandru
Looks like this.
new version of osso-product-info and its lib , from unknow message , now i have :
https://bugs.maemo.org/show_bug.cgi?id=7983
__________________
Wiki Admin
sixwheeledbeast's wiki
Testing Squad Subscriber
- mcallerx - tenminutecore - FlopSwap - Qnotted - zzztop - Bander - Fight2048 -
Before posting or starting a thread please try this.
Wiki Admin
sixwheeledbeast's wiki
Testing Squad Subscriber
- mcallerx - tenminutecore - FlopSwap - Qnotted - zzztop - Bander - Fight2048 -
Before posting or starting a thread please try this.
|
|
2014-06-27
, 14:27
|
|
Posts: 804 |
Thanked: 1,598 times |
Joined on Feb 2010
@ Gdynia, Poland
|
#406
|
Is there a python maintainer in CSSU team?
https://hackerone.com/reports/12297 - security issue found in python (2.7 and newer for sure, I'm not sure if 2.5 is also vulnerable - I couldn't run the sample code to test the issue and I'm not sure which additional python package I should install to run it)
https://hackerone.com/reports/12297 - security issue found in python (2.7 and newer for sure, I'm not sure if 2.5 is also vulnerable - I couldn't run the sample code to test the issue and I'm not sure which additional python package I should install to run it)
| The Following 5 Users Say Thank You to misiak For This Useful Post: | ||
|
|
2014-06-27
, 17:10
|
|
Posts: 1,100 |
Thanked: 2,797 times |
Joined on Apr 2011
@ Netherlands
|
#407
|
Originally Posted by misiak
Is there a python maintainer in CSSU team?
https://hackerone.com/reports/12297 - security issue found in python (2.7 and newer for sure, I'm not sure if 2.5 is also vulnerable - I couldn't run the sample code to test the issue and I'm not sure which additional python package I should install to run it)
Code:
user:~# cat vulnerability_test.py
from simplejson import JSONDecoder
j = JSONDecoder()
a = '128931233'
b = "472389423"
if id(a) < id(b):
x = a
y = b
else:
x = b
y = a
diff = id(x) - id(y)
try:
j.raw_decode(y, diff)
print("Vulnerable")
except:
print("Not vulnerable")
user:~# python
Python 2.5.4 (r254:67916, May 17 2010, 21:00:32)
[GCC 4.2.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> execfile("vulnerability_test.py")
Vulnerable
>>>
My desktop versions of python (3.3.5 and 2.7.6, importing json instead of simplejson) also report vulnerability at this moment. AFAIK there are no 2.5 patches available (only 2.7 and 3.x), as it is no longer supported.
The fix itself looks simple (in some json related code):
Code:
- if (idx >= length) {
+ if ( idx < 0 || idx >= length) {
| The Following 5 Users Say Thank You to ade For This Useful Post: | ||
 |
|
2014-06-27
, 18:54
|
|
Posts: 4,117 |
Thanked: 8,901 times |
Joined on Aug 2010
@ Ruhrgebiet, Germany
|
#408
|
Just a bit of offtopic:
does this output on N9 with py2.6.6 mean "not vulnerable"
--answer
Yes, it means.
import from json instead simplejson
Last edited by peterleinchen; 2014-06-27 at 18:59.
does this output on N9 with py2.6.6 mean "not vulnerable"
~ $ python
Python 2.6.6 (r266:84292, Mar 11 2011, 01:19:30)
[GCC 4.4.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> execfile("vulnerability_test.py")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "vulnerability_test.py", line 1, in <module>
from simplejson import JSONDecoder
ImportError: No module named simplejson
>>>
Yes, it means.
import from json instead simplejson
~ $ python
Python 2.6.6 (r266:84292, Mar 11 2011, 01:19:30)
[GCC 4.4.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> execfile("vulnerability_test.py")
Not vulnerable
>>>
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!
Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257
editsignature, http://talk.maemo.org/profile.php?do=editsignature
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!
Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257
editsignature, http://talk.maemo.org/profile.php?do=editsignature
Last edited by peterleinchen; 2014-06-27 at 18:59.
|
|
2014-06-27
, 19:53
|
|
Posts: 1,100 |
Thanked: 2,797 times |
Joined on Apr 2011
@ Netherlands
|
#409
|
Just did some more digging. For python 2.5, the code is in python-simplejson (the json module for python 2.5).
And already did the fix in the code
The result now is:
edit: python-simplejson 2.0.9-1maemo2 is now uploaded to extras-devel
Last edited by ade; 2014-06-28 at 18:43. Reason: removed attached deb packages, as it is uploaded to extras-devel
And already did the fix in the code
The result now is:
Code:
Python 2.5.4 (r254:67916, May 17 2010, 21:00:32)
[GCC 4.2.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> execfile("vulnerability_test.py")
Not vulnerable
Last edited by ade; 2014-06-28 at 18:43. Reason: removed attached deb packages, as it is uploaded to extras-devel
| The Following 5 Users Say Thank You to ade For This Useful Post: | ||
|
|
2014-06-27
, 21:11
|
|
Posts: 804 |
Thanked: 1,598 times |
Joined on Feb 2010
@ Gdynia, Poland
|
#410
|
Originally Posted by ade
Wait, so are our devices with stock python from repositories vulnerable or not? I don't get whether you are saying that the fix in code was already made or you fixed it in the build you just attached...? If the latter, it should definitely be pushed to CSSU repos I believe...
Just did some more digging. For python 2.5, the code is in python-simplejson (the json module for python 2.5).
And already did the fix in the code
The result now is:
If someone wants to test with the modified code, see the attachment.Code:Python 2.5.4 (r254:67916, May 17 2010, 21:00:32) [GCC 4.2.1] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> execfile("vulnerability_test.py") Not vulnerable
 |
| Tags |
| easter egg, lockslider |
«
Previous Thread
|
Next Thread
»
|
All times are GMT. The time now is 15:16.
8GB OPTFS@ext4(*performance mount options)
overclock: cpu[125 - 1,150(*VDD1)+Dsp overclock
CSSU-T latest version
Last edited by Alecsandru; 2014-06-19 at 17:11.