James Vega
2008-Nov-03 00:27 UTC
[Secure-testing-team] Bug#504352: eog: Python scripts load modules from current directory
Package: eog Version: 2.22.3-1 Severity: grave Tags: security patch Justification: user security hole Usertags: pythonpath eog''s python interface calls PySys_SetArgv with an argv[0] that doesn''t resolve to a filename. This causes Python to prepend sys.path with an empty string which, due to the use of relative imports, allows the possibility to run arbitrary code on the user''s system if a file in their working directory matches the name of a python module eog tries to import. This should be fixed by Python 2.6 as it uses absolute imports by default, but I have not been able to test it and this still needs a fix for packages built against/used with the currently supported versions of Python. -- James GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: 02_sanitize_sys.path.patch Type: text/x-diff Size: 320 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081102/4d24228e/attachment.patch -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081102/4d24228e/attachment.pgp