Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Jan 2009 12:48:17 +0100
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Cc: Jan Lieskovsky <jlieskov@...hat.com>,
 "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric)

On Monday 26 January 2009, Jan Lieskovsky wrote:
> Though this is a Python flaw (insertion of cwd at the
> beginning of the Python modules search path), according to our Python
> maintainers it can't be fixed on Python's side due the need
> of ensuring the work of other numerous packages, when loading
> Python modules.

Your subject seems to claim that this vulnerability is fixed on the 
Python side in 2.6 -- can you elaborate on that?

James Vega in the bug report you referenced [1] wrote:
> This problem should be solved in 2.6 since absolute imports are the
> default.

However, the specification of absolute imports [2] states:
> import foo
> 
> refers to a top-level module or to another module inside the package.
> [...] To resolve the ambiguity, it is proposed that foo will always be
> a module or package reachable from sys.path. This is called an
> absolute import.   

So absolute imports do not fix situations where you (e.g.) "import re" 
with CWD=/tmp in sys.path. Also, the test case shows that at least 
Python 2.6.1's PySys_SetArgv behaves the same:
$ ./484305 ""
['']
['', '/usr/lib64/python26.zip', '/usr/lib64/python2.6', '/usr/lib64/python2.6/plat-linux2', '/usr/lib64/python2.6/lib-tk', '/usr/lib64/python2.6/lib-old', '/usr/lib64/python2.6/lib-dynload', '/usr/lib64/python2.6/site-packages', '/usr/lib64/portage/pym']

Regards,
Robert

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484305
[2] 
http://www.python.org/dev/peps/pep-0328/#rationale-for-absolute-imports

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ