Date: Wed, 28 Jan 2009 12:48:17 +0100 From: Robert Buchholz <rbu@...too.org> To: oss-security@...ts.openwall.com Cc: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric) On Monday 26 January 2009, Jan Lieskovsky wrote: > Though this is a Python flaw (insertion of cwd at the > beginning of the Python modules search path), according to our Python > maintainers it can't be fixed on Python's side due the need > of ensuring the work of other numerous packages, when loading > Python modules. Your subject seems to claim that this vulnerability is fixed on the Python side in 2.6 -- can you elaborate on that? James Vega in the bug report you referenced  wrote: > This problem should be solved in 2.6 since absolute imports are the > default. However, the specification of absolute imports  states: > import foo > > refers to a top-level module or to another module inside the package. > [...] To resolve the ambiguity, it is proposed that foo will always be > a module or package reachable from sys.path. This is called an > absolute import. So absolute imports do not fix situations where you (e.g.) "import re" with CWD=/tmp in sys.path. Also, the test case shows that at least Python 2.6.1's PySys_SetArgv behaves the same: $ ./484305 "" [''] ['', '/usr/lib64/python26.zip', '/usr/lib64/python2.6', '/usr/lib64/python2.6/plat-linux2', '/usr/lib64/python2.6/lib-tk', '/usr/lib64/python2.6/lib-old', '/usr/lib64/python2.6/lib-dynload', '/usr/lib64/python2.6/site-packages', '/usr/lib64/portage/pym'] Regards, Robert  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484305  http://www.python.org/dev/peps/pep-0328/#rationale-for-absolute-imports Download attachment "signature.asc " of type "application/pgp-signature" (836 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ