James Vega
2008-Nov-03 01:50 UTC
[Secure-testing-team] Bug#504359: csound: Python scripts load modules from current directory
Package: csound Version: 1:5.08.2~dfsg-1 Severity: grave Tags: security patch Justification: user security hole Usertags: pythonpath csound''s python interface calls PySys_SetArgv with an argv[0] that doesn''t resolve to a filename. This causes Python to prepend sys.path with an empty string which, due to the use of relative imports, allows the possibility to run arbitrary code on the user''s system if a file in their working directory matches the name of a python module csound tries to import. This should be fixed by Python 2.6 as it uses absolute imports by default, but I have not been able to test it and this still needs a fix for packages built against/used with the currently supported versions of Python. -- James GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: 1004-sanitize-sys.path.diff Type: text/x-diff Size: 728 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081102/091f08bc/attachment.diff -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081102/091f08bc/attachment.pgp