Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Jan 2009 12:48:17 +0100
From: Robert Buchholz <>
Cc: Jan Lieskovsky <>,
 "Steven M. Christey" <>
Subject: Re: CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric)

On Monday 26 January 2009, Jan Lieskovsky wrote:
> Though this is a Python flaw (insertion of cwd at the
> beginning of the Python modules search path), according to our Python
> maintainers it can't be fixed on Python's side due the need
> of ensuring the work of other numerous packages, when loading
> Python modules.

Your subject seems to claim that this vulnerability is fixed on the 
Python side in 2.6 -- can you elaborate on that?

James Vega in the bug report you referenced [1] wrote:
> This problem should be solved in 2.6 since absolute imports are the
> default.

However, the specification of absolute imports [2] states:
> import foo
> refers to a top-level module or to another module inside the package.
> [...] To resolve the ambiguity, it is proposed that foo will always be
> a module or package reachable from sys.path. This is called an
> absolute import.   

So absolute imports do not fix situations where you (e.g.) "import re" 
with CWD=/tmp in sys.path. Also, the test case shows that at least 
Python 2.6.1's PySys_SetArgv behaves the same:
$ ./484305 ""
['', '/usr/lib64/', '/usr/lib64/python2.6', '/usr/lib64/python2.6/plat-linux2', '/usr/lib64/python2.6/lib-tk', '/usr/lib64/python2.6/lib-old', '/usr/lib64/python2.6/lib-dynload', '/usr/lib64/python2.6/site-packages', '/usr/lib64/portage/pym']



Download attachment "signature.asc " of type "application/pgp-signature" (836 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ