James Vega
2008-Nov-03 02:42 UTC
[Secure-testing-team] Bug#504363: epiphany-browser: Python plugins load modules from current directory
Package: ephiphany-browser Version: 2.22.3-6 Severity: grave Tags: security patch upstream Justification: user security hole Usertags: pythonpath Epiphany''s python interface calls PySys_SetArgv with an argv[0] that doesn''t resolve to a filename. This causes Python to prepend sys.path with an empty string which, due to the use of relative imports, allows the possibility to run arbitrary code on the user''s system if a file in their working directory matches the name of a python module epiphany tries to import. This should be fixed by Python 2.6 as it uses absolute imports by default, but I have not been able to test it and this still needs a fix for packages built against/used with the currently supported versions of Python. -- James GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: sanitize_sys.path.diff Type: text/x-diff Size: 311 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081102/98f0fcea/attachment-0001.diff -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081102/98f0fcea/attachment-0001.pgp