Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Tue, 3 Feb 2009 16:20:10 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security <oss-security@...ts.openwall.com>,
        oss-security <oss-security@...ts.openwall.com>
cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Robert Buchholz <rbu@...too.org>
Subject: Re: CVE request -- Python < 2.6 PySys_SetArgv issues
 (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric)


On Fri, 30 Jan 2009, Jan Lieskovsky wrote:

> 3, The original CVE-2008-5983 description will need modification.
> Robert is right, this issue is still present also in Python
> 2.6 (even absolute imports didn't resolve it).

Updated.  The original desc followed James Vega's implication that the
absolute imports default addressed this.

- Steve

======================================================
Name: CVE-2008-5983
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5983
Reference: MLIST:[debian-bugs] 20081112 Bug#493937: [Patch] Prevent loading of Python modules in working directory
Reference: URL:http://www.mail-archive.com/debian-bugs-dist@...ts.debian.org/msg586010.html
Reference: MLIST:[debian-bugs-rc] 20080805 Bug#484305: bicyclerepair: bike.vim imports untrusted python files from cwd
Reference: URL:http://www.nabble.com/Bug-484305%3A-bicyclerepair%3A-bike.vim-imports-untrusted-python-files-from-cwd-td18848099.html
Reference: MLIST:[oss-security] 20090126 CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric)
Reference: URL:http://www.openwall.com/lists/oss-security/2009/01/26/2
Reference: MLIST:[oss-security] 20090128 Re: CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric)
Reference: URL:http://www.openwall.com/lists/oss-security/2009/01/28/5
Reference: MLIST:[oss-security] 20090130 Re: CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric)
Reference: URL:http://www.openwall.com/lists/oss-security/2009/01/30/2
Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=482814

Untrusted search path vulnerability in the PySys_SetArgv API function
in Python 2.6 and earlier, and possibly later versions, prepends an
empty string to sys.path when the argv[0] argument does not contain a
path separator, which might allow local users to execute arbitrary
code via a Trojan horse Python file in the current working directory.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux